AUERBACH 


Information Security 
Policies, Procedures, 
and Standards 


Guidelines for Effective Information 
Security Management 


— — — — — 


THOMAS R. PELTIER 


Information Security 
Policies, Procedures, 
and Standards 


Guidelines for Effective Information 
Security Management 


OTHER AUERBACH PUBLICATIONS 


ABCs of IP Addressing 
Gilbert Held 
ISBN: 0-8493-1144-6 


Application Servers for E-Business 
Lisa M. Lindgren 
ISBN: 0-8493-0827-5 


Architectures for E-Business Systems 
Sanjiv Purba, Editor 
ISBN: 0-8493-1161-6 


A Technical Guide to IPSec Virtual 
Private Networks 

James S. Tiller 

ISBN: 0-8493-0876-3 


Building an Information Security 
Awareness Program 

Mark B. Desman 

ISBN: 0-8493-0116-5 


Computer Telephony Integration 
William Yarberry, Jr. 
ISBN: 0-8493-9995-5 


Cyber Crime Investigator's 
Field Guide 

Bruce Middleton 

ISBN: 0-8493-1192-6 


Cyber Forensics: 

A Field Nanual for Collecting, 
Examining, and Preserving Evidence 
of Computer Crimes 

Albert J. Marcella and Robert S. Greenfield, 
Editors 

ISBN: 0-8493-0955-7 


Information Security Architecture 
Jan Killmeyer Tudor 
ISBN: 0-8493-9988-2 


Information Security Management 
Handbook, 4th Edition, Volume 1 
Harold F. Tipton and Micki Krause, Editors 
ISBN: 0-8493-9829-0 


Information Security Management 
Handbook, 4th Edition, Volume 2 
Harold F. Tipton and Micki Krause, Editors 
ISBN: 0-8493-0800-3 


Information Security Management 
Handbook, 4th Edition, Volume 3 
Harold F. Tipton and Micki Krause, Editors 
ISBN: 0-8493-1127-6 


Information Security Policies, 
Procedures, and Standards: 
Guidelines for Effective Information 
Security Management 

Thomas Peltier 

ISBN: 0-8493-1137-3 


Information Security Risk Analysis 
Thomas Peltier 
ISBN: 0-8493-0880-1 


Information Technology Control 
and Audit 

Frederick Gallegos, Sandra Allen-Senft, 
and Daniel P. Manson 

ISBN: 0-8493-9994-7 


New Directions in Internet 
Management 

Sanjiv Purba, Editor 

ISBN: 0-8493-1160-8 


New Directions in Project Management 
Paul C. Tinnirello, Editor 
ISBN: 0-8493-1190-X 


A Practical Guide to Security 
Engineering and Information 
Assurance 

Debra Herrmann 

ISBN: 0-8493-1163-2 


The Privacy Papers: 

Managing Technology and Consumers, 
Employee, and Legislative Action 
Rebecca Herold 

ISBN: 0-8493-1248-5 


Secure Internet Practices: 

Best Practices for Securing Systems 
in the Internet and e-Business Age 
Patrick McBride, Joday Patilla, Craig Robinson, 
Peter Thermos, and Edward P. Moser 

ISBN: 0-8493-1239-6 


Securing and Controlling Cisco Routers 
Peter T. Davis 
ISBN: 0-8493-1290-6 


Securing E-Business Applications and 
Communications 

Jonathan S. Held and John R. Bowers 
SBN: 0-8493-0963-8 


Securing Windows NT/2000: 
From Policies to Firewalls 
Michael A. Simonyi 

SBN: 0-8493-1261-2 


TCP/IP Professional Reference Guide 
Gilbert Held 
SBN: 0-8493-0824-0 


AUERBACH PUBLICATIONS 


wwwi.auerbach-publications.com 
To Order Call: 1-800-272-7737 ə Fax: 1-800-374-3401 


E-mail: orders@crcpress.com 


Information Security 
Policies, Procedures, 
and Standards 


Guidelines for Effective Information 
Security Management 


THOMAS R. PELTIER 


A 


AUERBACH PUBLICATIONS 


A CBC Press Company 
Boca Raton London New York Washington, D.C. 


Library of Congress Cataloging-in-Publication Data 


Peltier, Thomas R. 
Information security policies, procedures, and standards : guidelines for effective 
information security management/Thomas R. Peltier. 
p. cm. 
Includes bibliographical references and index. 
ISBN 0-8493-1137-3 (alk. paper) 
1. Computer security. 2. Data protection. I. Title. 


QA76.9.A25 P46 2001 
005.8--de21 
2001045194 


This book contains information obtained from authentic and highly regarded sources. Reprinted material is quoted 
vvith permission, and sources are indicated. A vvide variety of references are listed. Reasonable efforts have been 
made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the 
validity of all materials or for the consequences of their use. 


Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or 
mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, 
vvithout prior permission in vvriting from the publisher. 


The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for creating new 
works, or for resale. Specific permission must be obtained in writing from CRC Press LLC for such copying. 


Direct all inquiries to CRC Press LLC, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431. 


Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for 
identification and explanation, vvithout intent to infringe. 


Visit the Auerbach Publications Web site at vvvvvv.auerbach-publications.com 


@ 2002 by CRC Press LLC 
Auerbach is an imprint of CRC Press LLC 


No claim to original U.S. Government vvorks 
International Standard Book Number 0-8493-1137-3 
Library of Congress Card Number 2001045194 
Printed in the United States of America 1234567890 
Printed on acid-free paper 


Dedication 


To Lisa, my editor and life compass 


< 


Contents 


Acknowledgments..................................................................................... xi 
IntrOdüuctióÓnr ............ ASRDA ədə ARE ssssssssse xiii 
1 Overview: Information Protection Fundamentals ........................... 1 
1.1 Elements of Information Protection .................. əəə əsəs rəs eesenaəs ssis issəl 1 
1.2 More Than Just Computer Security ............... n snsssssssssssasa 3 
13 Roles and Responsibilities................... nanan rnasasssrs.. 4 
1:4” “Comməen”Threats.- p a ne Basa uda away uD ales Sa 8 
15 Peölicies:afıd Preeedures, usakama ua yaaa casu 9 
1⁄6: RISE: MAanaeementuc a əə D A ada adə 9 
1.7 Typical Information Protection Program................... a ə əsees ənənəni 11 
1:6: SUDIHHTADVu SLO Sia n Qan ə R saqa a suda ə 11 
2 Writing Mechanics and the Message................................................ 13 
2:1: “Attention:spanssə əza u u ədə Yə ağlada sd 15 
2:2” “Key (CORCEDİES kəma raya Yedi ə Rae BŞEYƏRYİŞRƏŞƏyR 15 
2.3 Topic Sentence and Thesis Statement................ rs... 16 
2.4 “The” Message səla dairəsini ys hikoainkyhalpkuqusan 17 
2.5. üriting DOI SS Pu w pə SE so a a hiwa əda 18 
2:0 “SURA aban yənə qramında 18 
3 Policy Development.......................................................................... 21 
əsl “Poliey DeB0itionshau a n apps 21 
3.2 Frequently Asked Questions..................... arsa... 22 
35.3 Policies Are Not Enough: A Preliminary Look at Standards, 
Guidelines and Procedüresesee əəə a a ə ay 25 
3.4 Policy, Standards, Guidelines, and Procedures: Definitions 
an iarra ples əəə əə a ə o A əə 26 
3.9: “Poliey, Key Elemenisyeicən s ayaz aoaaa maa aaa Tona ma ash R 27 
3.6 Policy Format and Basic Policy Component:s................... a... 28 
35.7 Policy Content Considerations............... əsəs əəə əəsəəsəeənəəəsnessisəl 31 
3.8 Program Policy Examples................. a assaseanasesnnsasessssa asss 32 


vili 


Information Security Policies, Procedures, and Standards 


3.9 Topic-Specific Policy Examples....................... ra... 38 
3:10 Additional HIñtSu u əməyi smamdanppssaybaslsnə 44 
3.11 Topic-Specific Policy Subjects to Consider.................. lələ əə) 45 
5.12 An Approach Tor SÜCCeSS uuu SƏY SİYƏ R REYRYEYRURaKƏsƏŞ) 46 
2-13 Additional Examples, uu ə ə R Şan 47 
3314”--Summaryaaə əəə Ləm ə nays 50 
Mission Statement............................................................................. 53 
4.1 Background on Your Positiófu. a a ag aaa i aa asan 53 
4.2 Business Goals versus Security Goals................. a rassss. 54 
4.5 Computer Security Objectives................... a nsnsrsrsrssssasssssaa 55 
4.4 Mission Statement Format..................... n sssnsssssnsssssssssssssssssaa 56 
4.5 Allocation of Information Security Responsibilities (ISO 17799-4.1.3) ...56 
4.6 Mission Statement Examples.................. səsə əsəs əsəs əəsəs es ses səs iəs iss issssə, 57 
4.7 Support for the Mission Statement................. əsəs əəə əəs əəə reəəəsləssnəl 63 
48 Key Roles in Organizations................ əəə LAR ə nq 64 
20 bus Cİ aa u a a 65 
4:10: Revieyy əə (tua Lə əə mi S sə SAA Real 66 
Standards. əəə A ədə R Aa ƏR Bəy Siyən 69 
5.1 Where Does a Standard Go2?.............. n nsssnsssssnsssssssssasa 70 
2:2. MW hat IsvacStandardpu ea t Du Sus Sia a CA aaa, 70 
5.3: International Standards s n S u qa uu a um, 71 
SOR LİS yp u ya as sa ə ə ə ə qos 76 
Writing Proceduüres ........................................................................... 83 
dəb, “Dehinitionsəə aula k kausa Daya ua umapa ayat plus 83 
0:2: “Xüntine Cormandınen ayna qhaypuysawayaahaniauspanawayyayqsyyasaqaiaahytas 84 
6.3 Key Elements in Procedure Writing ............... əəə əsəs əəs esə səsə əslssəl 86 
6: “PröcedüreGheeklist- əə easy ərinə idə əmdidə 86 
O 5: “Getting Startedie s nəə XƏ 87 
0:6: “Procedüre”Siylessə nayır aparam S rRSERRDAsBÜyİ 88 
0:/7 ¿Greater Procedure əə a oLa nəbadə 105 
0:8: ““Sulhinary. əsə s sal sisaaaqtadıdskrossıbsn 105 
Information Classification ............................................................. 107 
Teli Introduction a I aəaəə An əəə 107 
7.2 Why Classify Information.................... əəə əəRrRəəeəseeəəərəənesənesəsəl 107 
7.3 What s Information Classification? ................... nr... 108 
7.4 Establish a Team n na au sasakuna spada ai qawawan awuha 109 
“ə “Beyeloping:ihe Polieyz s uk agua am Suk aa utku a ukana 110 
7.6 Resist the Urge to Add Categories ................. a asssssssssssssssa 110 
7.7 What Constitutes Confidential Information................... a... 111 
7.8 Classification Examples.................................. nsn... 113 
7.9 Declassification or Reclassification of Information............................ 118 
7.10 Information Classification Methodolosy......................... Y 118 
7.11: “Aüthərization: for AcC6SS.... T a Aa a A ua a iC aa aa qas 147 
2127 SUPAYTA mə ə akuta ka əbə 148 
Security Awareness Program, ......................................................... 149 


8.1 Key Goals of an Information Security Program................................ 149 


Contents ix 


8.2 Key Elements of a Security Program ................... a snsssnssssassss 150 
8.3 Security Awareness Program Goals..................... a ssass.. 151 
8.4 Identify Current Training Needs................ n nsnassssssssa. 153 
8.5 Security Awareness Program Development...................... 154 
8.6 Methods Used to Convey the Awareness Message........................... 155 
8.7 Presentation Key Plemenmsu u uuu t asa a B ua sasa 157 
88 Typical Presentation Format.................... n nnssnsssnsssssnssassssa 157 
9.9: VVhen.to “Dö:-Ayvareness əə Sa Sa a h aaa əə 158 
8.10 The Information Security Message................. n nssrsssssssassa. 158 
8.11 Information Security Self-Assessment................ sa... 158 
Ə:12: :Göncelüsion ə sə ə ə ə uta w hah ah akan 159 
9 Why Manage This Process as a Project? ....................................... 161 
9.1 First Things First — Identify the Sponsor ....................................əs.əl 161 
92 “Defining the Scope of Work................. piayiş sanı yleıpiabə 163 
0:5. “Time Management: əə ə aa Bay wh i y Susa. 164 
0:4: -Gost Managemeht:::ə əya məyəsasniərəşo 170 
0103. “Planning for. Qualibyy uuu n səna Do saa ŞAL l esa 170 
9.6 Managing Human Resources..................... n səsə ass əssəssəssəassəl 171 
9.7 Creating a Communications Plan.................. əəə əəs ses əsəs s isesineəssəsssəl 171 
0.6: “Summarmyuosneaəbə asb ə uş ms 173 
10 Information Technology: Code of Practice for Information 
Security Managemeqnt...................................................................... 175 
JO: SCOBS2. uu aaa aəaəə sə Een asha 175 
10:2: “Terms and Definitions u n əə Sa aaa 175 
10.3 Information Security Policy................ a nnssssssssssssssssssssssa 176 
10.4 Organization Security......................... ann nnssssnssssssa 177 
10.5 Asset Classification and Control.................. əəə Əəəəəseəəneəəəsəsəl 178 
10.6: “Personnel/Secürityu əə əəə əə aa as ə ə hə DAA 179 
10.7 Physical and Environmental Security ............. n əə əəsəəsəlsəl 180 
10.8 Communications and Operations Managemcent.................... Y 181 
10:9: “Access: Göntrel,Poltey əəə əə Lə əə əsəs şəzbsi 182 
10.10 Systems Development and Maintenance................. i... 183 
10.11 Business Continuity Planning................. a nnssssssnssssssssssssessas 183 
10:12 Cömüpliancez- k əə m ə əsə yaa ka pupa kaypaqa 184 
Tt Review ə əsə 187 
Appendices 
AppendixA Policy Baseline Checklist................................................ 195 
Peliey Baseline, anə l a huuu an mau ay Sus 195 
AppendixB Sample Corporate Policies.............................................. 205 
Confliet of interest. əəə zədə pn a qh ahua aa, 205 
Employee Standards of Conduct................. n snssssssssas 208 
External Corporate GommmunicCations:.... u u masala sas 211 
Information Protection: uyanan spnkaptuuycpaahychupayisqaasyiuyquyaiyqankaqhu, 213 


General SecUriDyk u su t yan emsa aa aaa 214 


x Information Security Policies, Procedures, and Standards 


Appendix C List of Acronym.s.............................................................. 215 
Appendix D Sample Security Policies ................................................. 225 
Network SecutitycPolley-u u anə a s AŞ Əəə 225 

Business Continuity Planning................... a ansssssnrsssssssssssssssssesa 230 
PDialln-Accessə ə əm əə Cau Rəs 231 
AcecessaGontrobenaLALa ə ə DAR AAA əəə 233 
Communications SCODHRISEPOLIWSYOL u au Q S ua aD s uu 234 

Software Development Policy................ n rrssnssssssesasa 236 

System and Network Security Policy................... a asssssssas 237 

Electronic Communication Policy.................. n sassssssa. 238 

SISPEOn: BAnneTiəə yananta qusahayppqayiykunsswanahasshupakuyahaqi 242 

Standards of Conduct for Electronic Communications..................... 243 

EMail Access POliey Azəri b nəə u aaa um sm kaka yi5 244 

Interes Es Mab sua s u a uyanaaiyaswwapassy Shakpyimamuwtaqapspiss spiawa wasi 246 

SOFEVaTe: Sa eb yatırımı ayısı ryəyəbmabl 249 
Appendix E Job Descriptions............................................................... 255 
Chief Information Officer (CIO)............... a nsssssssssssssaaa 255 
Information Security Manager....................... n nnssssssssssessa 257 

Security Administrator... a Qa a Du wu S S a ass keshaga 258 

Firewall Administrator, Information Security ................ a... 260 
Appendix F Security Assessment........................................................ 261 
IL. seçin DOlleranaamo baba ılo ai kayyhuypikaqhhi 261 

H. Organizational Suitability................ ba Aaaa alan 264 

hk. physical “aa o b m aqa 269 

TV. Business Impact Analysis, Continuity Planning Processes ............... 273 

Və. ” “Technical”Safeguards əəən BUR AR A 278 

VI. Telecommunications Security.................. əəəə səsə ə eəs əəə ereseneəs eee s isessissəl 281 
Appendix G References......................................................................... 285 
About the Autbhor..................................................................................... 287 


Acknowledements 


It seems that I have spent the greatest part of my working life writing policies 
and procedures. As the result of an ongoing audit at the company where 1 
was working, I was asked to step in and develop a set of information security 
policies and procedures. Because I had taken courses in writing fiction and 
poetry and had a poem published in the school literary journal, I felt 1 was 
highly qualified for this task. Little did I know. After a couple of attempts, I 
took everything I had learned about image development, character develop- 
ment, complex sentences and threw it all away. I had to go back to the basics 
and I had a lot of questions. These questions were answered by a tremendous 
group of professionals who have become my friends. 

First in my list of acknovvledgments is my mentor and friend, John O'Leary, 
the Director of the Computer Security Institute-Education Resource Center. No 
matter what the subject, John seems to have some experience in all areas of 
information security, and he is always ready to lend an opinion and direction. 
It was his encouragement to “try it; if they don't stone you, then you're onto 
something.” John's approach is always a bit more formal than mine, but he 
encouraged me to find the path of least resistance. John and his wonderful wife 
Tane have alvvays been available to bounce ideas off of or fust to listen and 
offer advice. 

Lisa Bryson is my friend, fellovv information security professional, editor, and 
now my wife. We have known each other for almost 15 years and have had many 
a lively discussion on hovv security should be implemented. She alvvays reminds 
me that not many people can see the smile on your face through your vvritings. 
Say what you mean, and do not be a vvise guy. I hate it when she is always right. 

Next on my list is Pat Howard. I must have been a very good person in a 
previous life to be afforded the opportunity to meet and vvork vvith Pat. He is 
able to take some of my ramblings, my very bad dravvings on flipcharts, and turn 
them into finished products. He keeps me on track and provides insight on the 
nevv standards and other requirements. 

John Blackley and Terri Curran are two dear friends who have allowed me to 
revievv and research their materials, and they did the same for me. Before vve 


xi 


XIi Information Security Policies, Procedures, and Standards 


were consultants, we worked at organizations that required policies, procedures, 
and standards, but did not want anything to impede the business process. John, 
Terri, and I spent many hours discussing how to get management to understand 
just how bright we were and that our documents were going to save our companies 
in spite of themselves. 

Who can leave out his publisher? Certainly not me; Rich O'Hanley has taken 
the time to discuss policies and procedures with numerous organizations to 
understand what their needs are and then presented these findings to me. A great 
deal of my work here is a direct result of what Rich discovered the industry wanted. 

Others who have helped me along the way include: 


m justin Peltier, my son, fellow information security professional, and best 
friend 

m William H. Murray, the first person I heard speak on the security needs 
of organizations, and who has inspired me ever since 

m Hal Tipton, the steady voice of reason in this crazy profession 

m Charles Cressen Wood, fellovv writer 

m Harry DeMaio, whose book (7z/formation Security and Otber Unnatural 
Acts) gave great insight into just how difficult our task is 

m Mike Corby, my friend and now boss. (1 have known Mike for over 
25 years, and he has always given the best and most honest advice. If 
you would like the prototype for the honest man, you could stop the 
search when you meet Mike Corby.) 

m Rich O'Hanley, not only the world's best editor and task master, but a 
good friend and source of knowledge. How he keeps his sanity while 
working with writers is totally beyond me. Thanks Rich! 


Introduction 


The purpose of an information security program is to protect the valuable 
information resources of an enterprise. Through the selection and application of 
appropriate policies, standards, and procedures, an overall security program helps 
the enterprise meet its business objective or mission charter. Because security is 
sometimes viewed as thvvarting business obiectives, it is necessary to ensure that 
effective, well-written policies, standards, and procedures are implemented. 

When writing information security polices, standards, and procedures, it is 
necessary to make certain that proper grammar and punctuation are used. 
Part of an effective book on writing should discuss these topics. The impor- 
tance of an effective topic sentence to the overall success of a policy statement 
must be addressed. 

Since I came into the information security profession in 1977, we have 
discussed the need for standardization of the practice. We saw the beginnings 
of this process when the National Institute of Standards and Technolosy (NIST) 
began publishing such documents as Az Introduction to Combuler Security: 
Tbe NIST Handbook (NIST Special Publication 800-12). 

Now the International Organization of Standardization SO) has published 
the recently adopted Information Tecbnology — Code of Practice for mformation 
Security Management (ISO 17799) and its parent British Standards (BS 7799). 
These documents and others, such as Bankins and Related Financial Services 
— Information Security Guidelines (1SO/TR 13569), the Health Insurance Port- 
ability and Accountability Act (HTPAA), Privacy of Consumer Financial Informa- 
tion (Graham-Leach-Bliley Act), and the Generally Accepted Information Systems 
Security Practices (GASSP), have stepped into the void and provided all security 
professionals with a map of where to take the information security program. 

Although the title of this book is formation Security Policies, Procedures, 
and Standards: Guidelines for Effective Information Security Management, 
security is not the end product of these documents. Good security must be 
measured in how well the assets of the enterprise are protected while the 
mission and business objectives are met. This book will teach the reader how 


xili 


xiv Information Security Policies, Procedures, and Standards 


to develop policies, procedures, and standards that can be used in all aspects 
of enterprise activities. 


Chapter 1 


Overview: Information 
Protection Fundamentals 


The purpose of information protection is to protect the valuable resources of 
an organization, such as information, hardware, and software. Through the 
selection and application of appropriate safeguards, security helps the orga- 
nization to meet its business objectives or mission by protecting its physical 
and financial resources, reputation, legal position, employees, and other 
tangible and intangible assets. We examine the elements of computer security, 
employee roles and responsibilities, and common threats. We also examine 
the need for management controls, polices and procedures, and risk analysis. 
Finally, we present a comprehensive list of tasks, responsibilities, and objec- 
tives that make up a typical information protection program. 


1.1 Elements of Information Protection 


Information protection should be based on eight mafor elements: 


1. Information protection should support the business obyectives or 
mission of the enterprise. This idea cannot be stressed enough. All 
too often, information security personnel lose track of their goals and 
responsibilities. The position of ISSO (Information Systems Security 
Officer) has been created to support the enterprise, not the other vvay 
around. 

2. Information protection is an integral element of due care. Senior 
management is charged with two basic responsibilities: a duty of 
loyalty, which means that whatever decisions it makes must be made 
in the best interest of the enterprise, and a duty of care, which means 
that senior management is required to protect the assets of the 


-— 


Information Security Policies, Procedures, and Standards 


enterprise and make informed business decisions. An effective infor- 
mation protection program will assist senior management in perform- 
ing these duties. 
Information protection must be cost-effective. Implementing controls 
based on edicts is counter to the business climate. Before any control 
can be proposed, it is necessary to confirm that a significant risk exists. 
Implementing a timely risk analysis process can accomplish this. By 
identifying risks and then proposing appropriate controls, the mission 
and business obfectives of the enterprise will be better met. 
Information protection responsibilities and accountabilities should be 
made explicit. For any program to be effective, it is necessary to publish 
an information protection policy statement and an information protec- 
tion group mission statement. The policy should identify the roles and 
responsibilities of all employees. To be completely effective, the lan- 
guage of the policy must be incorporated into the purchase agreements 
for all contract personnel and consultants. 
System ovvners have information protection responsibilities outside their 
ovvn organization. Access to information often extends beyond the 
business unit or even the enterprise. It is the responsibility of the 
information ovvner (normally the senior-level manager in the business 
that created the information or the primary user of the information). A 
main responsibility is to monitor usage to ensure that it complies vvith 
the level of authorization granted to the user. 
If a system has external users, its owners have a responsibility to share 
appropriate knovvledge about the existence and general extent of 
control measures so that other users can be confident that the system 
is adequately secure. As the user base expands to include suppliers, 
vendors, clients, customers, shareholders, and the like, it is incumbent 
upon the enterprise to have clear and identiflable controls. For many 
organizations, the initial sign-on screen is the first indication that there 
are controls in place. The message screen should include three basic 
elements: 
a. That the system is for authorized users only 
b. That activities are monitored 
c. That by completing the sign-on process, the user agrees to the 
monitoring 
Information protection requires a comprehensive and integrated 
approach. To be as effective as possible, it is necessary for information 
protection issues to be part of the system development life eycle. 
During the initial or analysis phase, information protection should 
include a risk analysis, a business impact analysis, and an information 
classification document. Additionally, because information is resident 
in all departments throughout the enterprise, each business unit 
should establish an individual responsible for implementing the infor- 
mation protection program to meet the specific business needs of the 
department. 


Overview: Information Protection Fundamentals 3 


7. Information protection should be periodically reassessed. As with any- 
thing, time changes the needs and objectives. A good information 
protection program examines itself on a regular basis and makes changes 
wherever and whenever necessary. This is a dynamic and changing 
process and therefore must be reassessed at least every 18 months. 

8. Information protection is constrained by the culture of the organization. 
The ISSO must understand that the basic information protection pro- 
gram vvill be implemented throughout the enterprise. Hovvever, each 
business unit must be given the latitude to make modifications to meet 
its specific needs. If your organization is multinational, it is necessary 
to make adiustments for each of the various countries. These adiust- 
ments will have to be examined throughout the United States. What 
might work in Des Moines, Iowa may not fly in Berkeley, California. 
Provide for the ability to find and implement alternatives. 


Information protection is a means to an end and not the end in itself. In 
business, having an effective information protection program is usually sec- 
ondary to the need to make a profit. In the public sector, information protection 
is secondary to the services the agency provides. Security professionals must 
not lose sight of these tenets. 

Computer systems and the information processed on them are often con- 
sidered critical assets that support the mission of an organization. Protecting 
them can be as important as protecting other organizational resources, such 
as financial resources, physical assets, and employees. The cost and benefits 
of information protection should be carefully examined in both monetary and 
nonmonetary terms to ensure that the cost of controls does not exceed the 
expected benefits. Information protection controls should be appropriate and 
proportionate. 


1.2 More Than Just Computer Security 


Providing effective information protection requires a comprehensive 
approach that considers a variety of areas both vvithin and outside the 
information technology area. An information protection program is more 
than establishing controls for the computer-held data. It should address all 
forms of information. In 1965, the idea of the “paperless office” vvas first 
introduced. The advent of the third-generation computers brought about this 
concept. Hovvever, today the bulk of all the information available to employ- 
ees and others is still found in printed form. To be an effective program, 
information protection must move beyond the narrow scope of IT and 
address the issues of enterprisewide information protection. A comprehen- 
sive program must touch every stage of the information asset life cycle, from 
creation to eventual destruction. The fundamental element to this corporate- 
wide program is an Information Security Policy that is part of the corporate 
policies and does not come from TT. 


4 Information Security Policies, Procedures, and Standards 


1.2.1 Employee Mind-Set toward Controls 


Access to information and the environments that process it are dynamic. 
Technology and users, data and information in the systems, risk associated 
with the system, and security requirements are ever-changing. The ability of 
information protection to support business objectives or the mission of the 
enterprise may be limited by various factors, such as the current mind-set 
toward controls. 

A highly effective method of measuring the current attitude toward infor- 
mation protection is to conduct a “walkabout.” After hours or on a weekend, 
conduct a review of the workstations throughout a specific area (usually a 
department or a floor) and look for just five basic control activities: 


Offices secured 

Desk and cabinets secured 
Workstations secured 
Information secured 
Diskettes secured 


ə ıı 


Conducting an initial vvalkabout in the typical office environment vvill reveal 
a 90 to 95 percent noncompliance rate vvith at least one of these basic control 
mechanisms. The result of this revievv should be used to form the basis for 
an initial risk analysis to determine the security requirements for the office 
environment. When conducting such a review, employee privacy issues must 
be considered. 


1.3 Roles and Responsibilities 


As discussed before, senior management has the ultimate responsibility for 
the protection of the organization”s information assets. One responsibility is 
the establishment of the function of Corporate Information Officer (CIO). The 
CIO directs the day-to-day management of information assets of the organi- 
zation. The ISSO and Security Administrator should report directly to the CIO 
and are responsible for the day-to-day administration of the information 
protection program. 

Supporting roles are performed by the service providers and by the Systems 
Operations team that designs and operates the computer systems. They are 
responsible for implementing technical security on the systems. The telecom- 
munications department is responsible for providing communication services, 
including voice, data, video, and fax. Security mechanisms must be imple- 
mented to protect these communication services. 

The information protection professional must establish strong vvorking 
relationships vvith the audit staff. If the only time you see the audit staff is 
when they are in for a formal audit, then you probably do not have a good 
working relationship. It is vitally important that this liaison be established and 
that you meet to discuss common problems at least each quarter. 


Overview: Information Protection Fundamentals 5 


Other groups include the physical security staff and the contingency plan- 
ning group. These groups are responsible for establishing and implementing 
controls and can form a peer group to review and discuss controls. The group 
responsible for application development methodology will assist in the imple- 
mentation of information protection requirements in the application system 
development life cycle. The quality assurance group can assist in ensuring 
that information protection requirements are included in all development 
projects prior to movement to production. 

The Procurement group can vvork to get the language of the information 
protection policies included in the purchase agreements for contract personnel. 
Education and Training can assist in the development and implementation of 
information protection awareness programs and in training supervisors on 
hovv to monitor employee activities. Human Resources vvill be the organization 
responsible for taking appropriate action on any violations of the organization 
information protection policy. 

An example of a typical job description for an information security pro- 
fessional is shown in Exhibit 1. 


Exhibit 1 Typical Job Description 


Director, Design and Strategy 


Location: Anyvvhere, VVorld 

Practice Area: (Corporate Global Security Practice 
Grade: 

Purpose: 


To create an information security design and strategy practice that defines the 
technology structure needed to address the security needs of its clients. The 
information security design and strategy vvill complement security and netvvork 
services developed by the other Global Practice areas. The design and strategy 
practice vvill support the clients” information technology and architecture and 
integrate with each enterprise”s business architecture. This security framework will 
provide for the secure operation of computing platforms, operating systems, and 
networks, both voice and data, to ensure the integrity of the clients” information 
assets. To vvork on corporate initiatives to develop and implement the highest 
quality security services and ensure that industry best practices are follovved in 
their implementation. 


VVorking Relationships: 

This position reports in the Global Security Practice to the Vice President, Global 
Security. Internal contacts are primarily Executive Management, Practice Directors, 
Regional Management, as vvell as mentoring and collaborating vvith consultants. 
This position will directly manage two professional positions: Manager, Service 
Provider Security Integration, and Service Provider Security Specialist. Frequent 
external contacts include building relationships vvith clients, professional 
information security organizations, other information security consultants, 
vendors of hardvvare, softvvare, and security services, and various regulatory and 
legal authorities. 


(continued) 


6 Information Security Policies, Procedures, and Standards 


Exhibit 1 Typical Job Description (continued) 


Principal Duties and Responsibilities: 

The responsibilities of the Director, Design and Strategy include, butare notlimited 

to, the following: 

M Develop global information security services that will provide the security 
functionality required to protect clients” information assets against unauthorized 
disclosure, modification, and destruction. Particular focus areas include: 

Virtual private netvvorks 

Data privacy 

Virus prevention 

Secure application architecture 
Service provider security solutions 

M Develop information security strategy services that can adapt to clients” diverse 
and changing technological needs. 

M Work with Network and Security practice leaders and consultants, create sample 
architectures that communicate the security requirements that will meet the 
needs of all client network implementations. 

M Work with practice teams to aid them from the conception phase to the 
deployment of the project solution. This includes quality assurance review to 
ensure that the details of the project are correctly implemented according to 
the service delivery methodology. 

M Work with the clients to collect their business requirements for electronic 
commerce, while educating them on the threats, vulnerabilities, and available 
risk mitigation strategies. 

M Determine where and how you should use cryptography to provide public key 
infrastructure and secure messaging services for clients. 

II Participate in security industry standards bodies to ensure strategic information 
security needs will be addressed. 

M Conduct security focus groups with the clients to cultivate an effective exchange 
of business plans, product development, and marketing direction to aid in 
creating new and innovative service offerings to meet client needs. 

M Continually evaluate vendors” product strategies and future product statements 
and advise vvhich vvill be most appropriate to pursue for alliances, especially in 
the areas Of: 

Virtual private netvvorks 

Data privacy 

Virus prevention 

Secure application architecture 
Service provider security solutions 

Mi Provide direction and oversight of hardware and softvvare-based cryptography 
service development efforts. 


Accountability: 

Maintain the quality and integrity ofthe services offered by the Global Security Practice. 
Revievv and report impartially on the potential viability and profitability of nevv security 
services. Assess the operational efficiency, compliance to industry standards, and 
effectiveness of the client network designs and strategies thatare implemented through 
the company? professional service offerings. Exercise professional judgment in making 
recommendations that may impact business operations. 


Overview: Information Protection Fundamentals 


Exhibit 1 Typical Job Description (continued) 


Knowledge and Skills: 

M 10 Percent Managerial/Practice Management 
Ability to supervise a multidisciplinary team and a small staff; must handle 
multiple tasks simultaneously; ability to team with other Practice Directors 
and Managers to develop strategic service offerings 
Willingness to manage or to personally execute necessary tasks, as resources 
are required 
Excellent oral, written, and presentation skills 

M 40 Percent Technical 
ln-depth technical knowledge of information-processing platforms, operating 
systems, and networks in a global distributed environment 
Ability to identify and apply security techniques to develop services to reduce 
clients” risk in such an environment 
Technical experience in industrial security, computer systems architecture, 
design, and development, physical and data security, telecommunications 
networks, auditing techniques, and risk analysis principles 
Excellent visionary skills that focus on scalability, cost-effectiveness, and 
implementation ease 

IM 20 Percent Business 
Knowledge of business information flow in a multinational, multiplatform 
networked environment 
Solid understanding of corporate dynamics and general business processes; 
understanding of multiple industries 
Good planning and goal-setting skills 

M 20 Percent Interpersonal 
Must possess strong consulting and communication skills 
Ability to work with all levels of management to resolve issues 
Must understand and differentiate between tactical and strategic concepts 
Must be able to weigh business needs with security requirements 
Must be self-motivating 


Attributes: 

Must be mature, self-confident, and performance oriented. Will clearly 

demonstrate an ability to lead technological decisions. Will establish credibility 

with personal dedication, attention to detail, and a hands-on approach. Will have 

a sense of urgency in establishing security designs and strategies to address new 

technologies to be deployed addressing clients” business needs. Will also be 

capable of developing strong relationships with all levels of management. Other 

important characteristics will be the ability to function independently, holding to 

the highest levels of personal and professional integrity. Will be an excellent 

communicator and team player. 

Specific requirements include: 

M Bachelor's degree (Master's degree desirable), advanced degree preferred 

IN Fifteen or more years of information technology consulting or managerial 
experience, eight of those years spent in information security positions 


(continued) 


8 Information Security Policies, Procedures, and Standards 


Exhibit 1 Typical Job Description (continued) 


M CISSP certification preferred (other appropriate industry or technology 
certifications desirable) 


Potential Career Path Opportunities: 
Opportunities for progression to a VP position within the company 


1.4 Common Threats 


Information processing systems are vulnerable to many threats that can inflict 
various types of damage resulting in significant losses. "This damage can 
range from errors harming database integrity to fires destroying entire 
complexes. Losses can stem from the actions of supposedly trusted employ- 
ees defrauding a system, from outside hackers, or from careless data entry. 
Precision in estimating information protection-related losses is not possible 
because many losses are never discovered, and others are covered up to 
avoid unfavorable publicity. 

The typical computer criminal is an authorized, nontechnical user of the 
system vvho has been around long enough to determine vvhat actions vvould 
cause a “red flag” or an audit. The typical computer criminal is an employee. 
According to a recent survey in the “Current and Future Danger: A CSI Primer 
on Computer Crime & Information VVarfare,” more than 80 percent of the 
respondents identified employees as a threat or potential threat to information 
security. Also included in this survey vvere the competition, contract personnel, 
public interest groups, suppliers, and foreign governments. 

The chief threat to information protection is still errors and omissions. This 
concern continues to make up 65 percent of all information protection prob- 
lems. Users, data entry personnel, system operators, programmers, and the 
like frequently make errors that contribute directly or indirectly to this problem. 

Dishonest employees make up another 13 percent of information pro- 
tection problems. Fraud and theft can be committed by insiders and outsiders, 
but are more likely to be done by employees. In a related area, disgruntled 
employees make up another 10 percent of the problem. Employees are most 
familiar with the information assets and processing systems of the organi- 
zation, including knovving what actions might cause the most damage, 
mischief, or sabotage. 

Common examples of information protection-related employee sabotage 
include destroying hardware or facilities, planting malicious code (viruses, 
worms, Trojan horses, etc.) to destroy data or programs, entering data incor- 
rectly, deleting data, altering data, and holding data “hostage.” 

The loss of the physical facility or the supporting infrastructure (power 
failures, telecommunications disruptions, water outage and leaks, sevver 
problems, lack of transportation, fire, flood, civil unrest, strikes, etc.) can 
lead to serious problems and makes up eight percent of information pro- 
tection-related problems. 


Overview: Information Protection Fundamentals 9 


The final area is malicious backers or crackers. These terms refer to those 
who break into computers without authorization or exceed the level of 
authorization granted to them. Although these problems receive the largest 
amount of press coverage, they only account for five to eight percent of the 
total picture. They are real and they can cause a great deal of damage. But 
when attempting to allocate limited information protection resources, it may 
be better to concentrate efforts in other areas. To be certain, conduct a risk 
analysis to see what your exposure misht be. 


1.5 Policies and Procedures 


An information protection policy is the documentation of enterprisewide 
decisions on handling and protecting information. In making these decisions, 
managers face hard choices involving resource allocation, competing objec- 
tives, and organization strategy related to protecting both technical and infor- 
mation resources as well as guiding employee behavior. 

When creating an information protection policy, it is best to understand 
that information is an asset of the enterprise and is the property of the 
organization. As such, information reaches beyond the boundaries of IT and 
is present in all areas of the enterprise. To be effective, an information 
protection policy must be part of the organization asset management program 
and must De enterprisewide. 

There are as many forms, styles, and kinds of policy as there are organi- 
zations, businesses, agencies, and universities. In addition to the various forms, 
each organization has a specific culture or mental model of what a policy is, 
how it is to look, and who should approve the document. The key point here 
is that every organization needs an information protection policy. According 
to the 2000 CSI report on Computer Crime, 65 percent of respondents to its 
survey admitted that they do not have a written policy. The beginning of an 
information protection program is the implementation of a policy. The program 
policy creates the attitude of the organization toward information and 
announces internally and externally that information is an asset and the 
property of the organization and is to be protected from unauthorized access, 
modification, disclosure, and destruction. 

This book leads the policy writer through the key structure elements and 
then reviews some typical policy contents. Because policies are not enough, 
this book teaches the reader how to develop standards, procedures, and 
guidelines. In each section the reader is given advice on the structural 
mechanics of the various documents as well as actual examples. 


1.6 Risk Management 


Risk is the possibility of something adverse happening. The process of risk 
management is identifying those risks, assessing the likelihood of their occur- 
rence, and then taking steps to reduce the risk to an acceptable level. All risk 


10 Information Security Policies, Procedures, and Standards 


analysis processes use the same methodolosy. Determine the asset to be 
reviewed. Identify the risk, issues, threats, or vulnerabilities. Assess the prob- 
ability of the risk occurring and the impact to the asset or the organization 
should the risk be realized. Then identify controls that would bring the impact 
to an acceptable level. 

The 2001 CRC Press book titled Imformation Security Risk Analysis discusses 
effective risk analysis methodologies. The book takes the reader through the 
theory of risk analysis: 


Identify the asset 

Identify the risks 

Prioritize the risks 

Identify controls and safeguards 


The book helps the reader understand qualitative risk analysis and then gives 
examples of this process. To make certain that the reader receives a well- 
rounded exposure to risk analysis, the book presents eight different methods, 
ending with the Facilitated Risk Analysis Process (FRAP). 

The primary function of information protection risk management is the 
identification of appropriate controls. In every assessment of risk, there will 
be many areas for which it will not be obvious what kind of controls are 
appropriate. The soal of controls is not to have 100 percent security. Total 
security would mean zero productivity. Controls must never lose sight of the 
business objectives or mission of the enterprise. Whenever there is a contest 
for supremacy, controls lose, productivity wins. This is not a contest, however. 
The goal of information protection is to provide a safe and secure environment 
for management to meet its duty of care. 

When selecting controls, you will need to consider many factors, including 
the information protection policy of the organization, the legislation and 
regulations that govern your enterprise, along with safety, reliability, and 
quality requirements. Remember that every control will require some perfor- 
mance requirements. These performance requirements may be a reduction in 
user response time, additional requirements before applications are moved 
into production, or additional costs. 

When considering controls, the initial implementation cost is only the tip of 
the cost iceberg. The long-term cost for maintenance and monitoring must be 
identified. Be sure to examine any and all technical requirements and cultural 
constraints. If your organization is multinational, control measures that work 
and are accepted in your home country might not be accepted in other countries. 

Accept residual risk. At some point management must decide if the oper- 
ation of a specific process or system is acceptable, given the risk. There can 
be any number of reasons that a risk must be accepted. These include but 
are not limited to: 


m 'The type of risk may be different from previous risks. 
m The risk may be technical and difficult for a layperson to grasp. 
m The current environment may make it difficult to identify the risk. 


Overview: Information Protection Fundamentals 11 


Information protection professionals sometimes forget that the managers 
hired by our organizations have the responsibility to make decisions. The job 
of the ISSO is to help the information asset owners identify risks to the assets. 
Assist them in identifying possible controls and then allow them to determine 
their action plan. Sometimes, they will choose to accept the risk, and this is 
perfectly permissible. 


1.7 Typical Information Protection Program 


Over the years, the computer security group responsible for access control and 
disaster recovery planning has evolved into the enterprisewide information 
protection group. Included in their ever-expanding roles and responsibilities are: 


Firevvall control 

Risk analysis 

Business impact analysis 

Virus control and virus response 

Computer emergency response 

Computer crime investigation 

Records management 

Encryption 

E-mail, voice-mail, Internet, video-mail policy 
Enterprisevvide information protection program 
Industrial espionage controls 

Contract personnel nondisclosure agreements 
Legal issues 

Internet monitoring 

Disaster planning 

Business continuity planning 

Digital signature 

Secure single sign-on 

Information classification 

Local area netvvorks 

Modem control 

Remote access 

Security awareness programs 


In addition to these elements, the security professional now has to ensure that 
standards, both in the United States and worldwide, are examined and acted 
upon where appropriate. This book discusses these new standards in detail. 


1.8 Summary 


The role of the information protection professional has changed over the past 
25 years and will change again and again. Implementing controls to be in 


12 Information Security Policies, Procedures, and Standards 


compliance with audit requirements is not the way to run such a program. 
There are limited resources available for controls. To be effective, information 
owners and users must accept the controls. To meet this end, it will be 
necessary for information protection professionals to establish partnerships 
with their constituency. Work with your owners and users to find an appro- 
priate level of controls. Understand the needs of the business or the mission 
of your organization. Make certain that information protection supports those 
goals and objectives. 


Chapter 2 


Writing Mechanics 
and the Message 


This chapter first discusses writing mechanics; and then it examines what the 
new standards identify as content material for a security policy. When we 
have provided the infrastructure for policy writing, we then examine the policy 
structure (this is done in Chapter 3). 

We begin this chapter with a discussion on attention spans. Most of us can 
understand that attention spans seem to have shrunk over the years. We then 
examine the reading and comprehension level of employees. These two 
elements lead us to the need to develop an effective “grabber” to gain the 
readers' attention and then to keep them interested. 

The final elements discussed in this chapter are the mechanics of a topic 
sentence and why it is important. We also review the thesis statement, which 
is part of our discussion on £obic-sbecific policies. When you are writing 
policies, standards, and procedures, many of the covenants of writing will be 
abandoned, but an effective topic sentence or thesis statement is vitally 
important to retain and enhance. 


2.1 Attention Spans 


There are clear and compelling reasons an effective topic sentence is important 
in catching the reader's attention and keeping it. The first of these is time 
constraints. Employees do not have a lot of time to search for the meaning 
of a policy. They need to see it right up-front, and it must explain why it is 
important to them. Calvin Coolidge was a man of few words, but he got his 
point across. During a dinner at the White House, sitting next to him was a 
woman who needed only a warm body to have a “conversation.” After 
nattering on for a long period of time, she said to President Coolidge, “I have 


13 


14 Information Security Policies, Procedures, and Standards 


a bet that I can make you say more than three words.” Coolidge looked at 
her and said, “You lose.” 

It is not the number of words that you say or write; in fact, most of our 
employees tune out long before there is an end to the topic. Have you ever 
found yourself thinking about other things when someone else is talking or 
vvhile attempting to read something? To get the message to our employees 
requires the proper selection of words to gain maximum impact. You no longer 
have unlimited time to get the message out. To survive in business today, you 
must be able to get you message to your employee in less than a minute. 

Along with time, the next constraint is attention span. Recently, I attended 
a training session on the attention span of individuals. As a trainer, I always 
like to keep up on vvhat vvill make me better in getting my ideas out. During 
this session we were shown a film clip of the old Jacb Benny Sbou, a program 
that ran during the late 1950s through the early 1960s. We were asked to 
count the number of seconds between camera angle changes. We were able 
to count seven or eight seconds betvveen changes. Then vve vvere shovvn a 
clip of the Brady Buncb (1970s). The change time was about four seconds. 
Then we were shown a music video and counted one second between camera 
angle changes. 

When I was growing up, the average television commercial ran 60 seconds. 
Today, the average commercial runs 15 to 30 seconds. If you sit through a 
60-second commercial today, you will think you have just sat through War 
and Peace. 

According to Milo O. Frank, the author of Hot to Get Your Point across 
in 30 Seconds or Less, the attention span of the average individual is 30 seconds. 
To match this limited time frame of attention span, the vvriter needs to get 
the message out to the reader in an average of 100 vvords. Novv some of us 
read faster than others and some read slovver, but the average of 100 words 
vvill put you pretty much on target. 

With the limited time frame and the concept of attention span now revealed 
to you, it vvill be necessary for you to understand some key concepts (see 
Exhibit 1). 


Identify your objective Keep sentences clear and precise 


Know the audience Use the established style 


Find the "hook" Use an active voice 


Read other policies to learn what works 


Know your subject 


If you need something, ask for it Use a conversational style 


Exhibit 1 Key Concepts 


Writing Mechanics and the Message 15 


2.2 


Key Concepts 


Identify your objectiues — Before you begin to develop a policy, 
standard, or procedure, you will have to know what it is that you 
are going to discuss. It cannot be some abstract concept. You will 
need a clear vision of what needs to be accomplished in the document 
before you. 
Knouv your andience — As important as it is to know what you are 
going to vvrite about, it is also necessary to knovv vvho your audience 
is. When writing a policy, the audience will often be the general 
employee population (all employees); when writing procedures, the 
audience will be much narrovver. The success or failure of your policies, 
standards, and procedures vvill depend on hovv vvell you focus in on 
the intended audience. 
Find tbe book — Employees need to knovv hovv the document impacts 
their life. So establish quickly why it is important to the intended reader. 
This kind of statement is generally used to get people”s attention. The 
hook must relate to the obiective and hovv they are affected. 
Knou your subject — "The best-vvritten policies, standards, and pro- 
cedures are those that properly address the topic. Research hovv others 
have addressed the topics you need to address. The best place to 
find this kind of information is through your local chapter of the 
Information Systems Security Association (ISSA), which can be found 
by accessing its Web site (vvvvvv.issa.org) or by searching the Internet. 
Whatever it takes, it is necessary for you to know as much as possible 
about your topic. 
İf you need sometbing, ask for it — A policy or procedure vvithout a 
specific objective is a vvasted opportunity. If there is a need for a 
response or a compliance issue, make certain that the reader is told 
what is expected and what the time frame is. 
Keep senltences clear and precise — Now is not the time to create your 
doctoral thesis. Keep the message brief and to the point. Do not use 
unnecessary words or show off your nevvfound vocabulary. This concept 
harks back to knowing your audience. Use the language of your enter- 
prise vvhen developing a general policy statement and the language of 
the specific department for a topic-specific policy or procedure. 
Use tbe establisbed style — Research the style and format of existing 
policies and procedures. Do not become innovative, stick to vvhat is 
expected. The policy or procedure vvill be better accepted if it looks 
like what the readers are used to. 
Use an active voice — A sentence in vvhich the performer of the action 
is the subject of the verb is said to be in the active voice. In passive 
sentences, the subject is acted upon, passive sentences use passive 
voice. For example: 

Passive voice: The softvvare is vvritten by the programmer. 

Active voice: The programmer vvrites the softvvare. 


16 


Information Security Policies, Procedures, and Standards 


The choice between using the active or passive voice in writing is a 
matter of style, not correctness. However, most handbooks recommend 
using active voice, which they describe as more natural, direct, lively, 
and succinct. The passive voice is considered wordy and weak. 


m Read otber bolicies — Not just information security policies, but as many 


2.3 


policies as possible. When I was traveling to Malaysia, the airline staff 
passed out landing documentation forms and among them was a policy 
statement for a country that read “Drug smuggling is punishable by 
death.” Later, I was teaching a class on policy writing and asked my 
students if this was a policy. I was informed that not only was it a 
policy, but it was enforced. The key point here is that a policy does 
not have to be a large document. So read other policies and procedures 
and see hovv they handle the topic. 

Use a conversational style — This is a matter of preference, but over 
the years I have found that using a style that is most like a conversation 
is the best way to get the message out to the audience. 


Topic Sentence and Thesis Statement 


During the development of policies and procedures, we will be using two 
key writing terms: topic sentence and thesis sentence. So before we can begin 
to discuss the structure of policies, it is important to take a few minutes to 
cover these most important topics. 

A tobic sentence is a general statement that expresses the main idea of a 
paragraph. A paragraph is a group of sentences that develop one main idea. 
The main idea is the general statement that the other sentences support or 
explain. 

The topic sentence has two main parts: 


m Subject — What the paragraph is about 
m Focus — What the paragraph will say about the subject 


Examples: 


Most adults/find learning a foreign language difficult. 


subject / focus 


Telephones/intrude into the privacy of our daily lives. 


subject / focus 


Parents of teenagers/often feel unappreciated. 


subiect / focus 


A topic sentence sets up one paragraph, which is usually less than a page 
of text; therefore, the topic sentence should be general, but not too general. 


Writing Mechanics and the Message 17 


Too general: Security is important. 
Still too general: Information security is important for the business. 
Much better: Business-related information is an asset of the enter- 


prise and is the property of the company and all 
employees are responsible for protecting this asset. 


General guidelines for creating effective topic sentences are as follovvs: 


m A topic sentence should always be a complete sentence. 

m A topic sentence should not merely state a single fact. 

m A topic sentence should be a general statement, but should not be too 
broad or too vague. 


A topic sentence may come at the beginning, as the second sentence, at 
the end, or may be implied. In academic vvriting assignments, many instructors 
(but not all) seem to prefer that the topic sentence come at the beginning of 
the paragraph. To be most effective, it is strongly recommended that it be the 
opening sentence of any policy or procedure. 

The other writing element is the #besis statement. We will use this form 
Of writing when we discuss the topic-specific policy statement. By discussing 
it here, we will be able to move through the structure elements of policies 
more quickly. 

Everything you write should develop around a clear central thesis. Your 
thesis is the backbone of your policy or procedure. Ask yourself, “What is 
the main point of this document?” Your answer should resemble the thesis 
statement of your policy and should focus your central ideas into one or 
two sentences. 

When developing a thesis statement, it is best to avoid starting your thesis 
sentence with “It is the policy of....” Furthermore, tackling two topics at once 
(even if they seem related) should be avoided as much as possible. Pick one 
and stick with it. 


2.4 The Message 


A few years ago 1 took a speed-reading class, and one of the things we learned 
vvas hovv to read a textbook for revievv. VVhen revievving a chapter, read all 
the captions, graphs, and illustrations first, then read the opening paragraph 
in its entirety, the opening sentence of the other paragraphs, and the closing 
paragraph in its entirety. The message must come through clearly and precisely 
and be reinforced in each of the subsequent paragraphs. 

It cannot be stressed enough that the opening one or tvvo sentences must 
grab the readers and tell them what is important and why it impacts them. 
As we begin to discuss the structure of the policy statement in Chapter 5, you 
will begin to see examples of where this has been done successfully and 
where it needs more work. 


18 Information Security Policies, Procedures, and Standards 


2.5 Writing Don't's 


Over the years, 1 have taught a number of classes on writing policies and 
procedures. To ensure that the students maintain an effective attention span, 
I use bits of humor to get the point across. The following is an example of 
this kind of writing humor, but the statements are true. 


2.5.1 How to Write Well 


Avoid alliteration. Always. 

Prepositions are not words to end sentences with. 

Avoid clichés like the plague. (They are old hat.) 

Employ the vernacular. 

Eschevv ampersands & abbreviations, etc. 

Parenthetical remarks (hovvever relevant) are unnecessary. 

It is vvrong to ever split an infinitive. 

Contractions aren't necessary. 

Foreign words and phrases are not apropos. 

One should never generalize. 

Eliminate quotations. As Ralph Waldo Emerson once said: “I hate 

quotations. Tell me what you know.” 

12. Comparisons are as bad as clichés. 

13. Do not be redundant; do not use more words than necessary; it is 
highly superfluous. 

14. Profanity sucks. 

15. Be more or less specific. 

16. Understatement is always best. 

17. Exaggeration is a billion times vvorse than understatement. 

18. One-vvord sentences? Eliminate. 

19. Analogies in vvriting are like feathers on a snake. 

20. The passive voice is to be avoided. 

21. Go around the barn at high noon to avoid colloquialisms. 

22. Even if a mixed metaphor sings, it should be derailed. 

23. VVho needs rhetorical questions? 


= 
m55:4-—.: 


— 


2.6 Summary 


In this chapter vve discussed the vvriting mechanics and concepts to use to 
get the message out to the reader. Included in this discussion vvere: 


Attention span 

Keeping the topic up-front 

Amount of time before we lose the reader 
Writing concepts 

Identifing the objective 


Writing Mechanics and the Message 19 


Knowing the audience 

Finding a hook 

Knowing the subject 

Asking for what is needed from the reader 
Keeping sentences clear and precise 
Using established forms of documents 
Using an active voice 

Reading other policies 

Using a conversational style 

Topic sentence and thesis statements 
Writing don't's 


When you need to write policies, standards, and procedures, you will have 
an overvvhelming desire to start writing. But take the time to determine what 
needs to be done and hovv you vvill do it. Do your research. There are no 
nevv policies. VVhatever you need to vvrite about, you should be able to find 
an example that can be used to guide you along in your development. Try 
to avoid the temptation of taking an existing policy and just changing the 
names. It might work, but the odds that this kind of quick fix will meet the 
specific business obfectives of your organization are very small. 

In Chapter 3 we discuss the policy statement, its structure, and ISO 17799 
suggested contents. 


Chapter 3 


Policy Development 


The cornerstone of an effective information security architecture is a well- 
written policy statement. This is the wellspring of all other directives, standards, 
procedures, guidelines, and other supporting documents. As with any foun- 
dation, it is important to establish a strong footing. As will be discussed, a 
policy performs two roles: one internal and one external. 

The internal portion tells employees what is expected of them and how 
their actions will be judged. The external portion tells the world how the 
enterprise is run, that there are policies that support sound business practices, 
and that the organization understands that protection of assets is vital to the 
successful execution of its mission. 

In any discussion regarding written requirements, the term policy has more 
than one meaning. To some, a policy is the directive of senior management 
on how a certain program is to be run, what its goals and objectives are, and 
to whom responsibilities are to be assigned. The term policy may refer to the 
specific security rules for a particular system such as ACF2 rule sets, RACF 
permits, or intrusion-detection system policies. Additionally, policy may refer 
to entirely different matters, such as specific management decisions that set 
an organization's e-mail privacy policy or Internet usage policy. 

This chapter examines three different forms of policy statements: the 
general program policy, the topic-specific policy, and the system/application- 
specific policy. 


3.1 Policy Definitions 
3.1.1 Policy 


A policy is a high-level statement of enterprise beliefs, goals, and obiectives 
and the general means for their attainment for a specified subject area. A 
policy should be brief (vvhich is highly recommended) and set at a high level, 


21 


22 Information Security Policies, Procedures, and Standards 


3.1.2 General Program Policy 


A general program policy sets the strategic directions of the enterprise for 
global behavior and assigns resources for its implementation. This includes 
such topics as information management, conflict of interest, employee stan- 
dards of conduct, and general security measures. 


3.1.3 Topic-Specific Policy 


Tobic-sbecific policy addresses specific issues of concern to the organization. 
Topic-specific policies might include e-mail policy, Internet usage policy, 
phone usage, physical security, application development, system maintenance, 
and netvvork security. 


3.1.4 System/Application-Specific Policy 


öystem/abblication-sbecific bolicies focus on decisions taken by management to 
protect a particular application or system. System/application-specific policy 
might include controls established for the financial management system, accounts 
payable, business expense forms, employee appraisal, and order inventory. 


3.2 Frequently Asked Questions 
3.2.1 What ls a Security Policy? 


Security policy is defined as a high-level statement of organizational beliefs, 
goals, and obiectives and the general means for their attainment as related to 
the protection of organizational assets. A security policy is brief, is set at a 
high level, and never states “hovv” to accomplish the obiectives. 

Because policy is written at a high level, organizations must develop 
standards, guidelines, and procedures that offer those affected by the policy 
one or more possible methods for implementing the policy and meeting the 
business obfectives or mission of the organization. 


3.22 VVhat Should Be in a Policy? 


When developing the policy, there is as much danger in saying too much as 
there is in saying too little. The more intricate and detailed the policy, the 
more frequent the update requirements and the more complicated the training 
process for those vvho must adhere to it. 

The policy should define the goal or business purpose for its existence, 
the policy statement, the scope or affected parties/locations/legal entities, and 
the individual responsibilities of those charged vvith the implementation and 
enforcement of the policy. The policy, because it is at the highest level, 
provides for management discretion in the actual implementation of processes 
to meet the intent of the policy. 


Policy Development 23 


3.23 Why Should an Enterprise or Service Provider Implement 
an Information Security Policy? 


In the absence of an established policy, the current and past activities of 
the organization become the de facto policy. Where there is no formal policy, 
the organization may be in greater danger of a breach of security, loss of 
competitive advantage, loss of customer confidence, and increased govern- 
mental interference. By implementing policies, the organization takes control 
of its destiny and reduces the likelihood that the internal or external auditors 
or courts will step in to set policy that may stifle the business instead of 
supporting it. 


3.24 Can the Enterprise or Service Provider Get Along 
with Unwritten Policy? 


Many organizations, especially new ventures, seem to get along with informal 
policies. These exist, much like folklore and customs, and are passed from 
one employee to another through word of mouth. Why, then, are written and 
published policies necessary? Information, the intangible asset of every orga- 
nization, is a unique asset. There is often a great deal of confusion about how 
to handle information, how to classify information, and who has the ultimate 
responsibility for the information. 

There may be legal or regulatory reasons an information security policy 
must be published. But the primary reason for having a written and published 
policy is that only a written policy can be used to prove the management 
standard of “due diligence” to a court of law, in a customer contract, in vendor 
relations, in acquisitions, and for public relations. 


3.2.5 Are There Regulatory Reasons for Policy Implementation? 


The International Organization for Standardization, founded in 1947, is a 
worldwide federation of national standards bodies from approximately 100 
countries, one from each country. Among the standards it fosters is Open 
Systems Interconnection (OSD, a universal reference model for communication 
protocols. Many countries have national standards organizations, such as the 
American National Standards Institute (ANSD, that participate in and contribute 
to ISO standards development.” 

A nevv ISO standard has been adopted for information security. This nevv 
standard, published in December 2000, is noted as ISO 17799. Registration to 


” “ISO” is not an abbreviation. It is a word, derived from the Greek isos, meaning “equal,” 
vvhich is the root for the prefix “iso-” that occurs in a host of terms, such as “isometric” (of 
equal measure or dimensions) and “isonomy” (equality of laws, or of people before the law). 
The name ISO is used around the world to denote the organization, thus avoiding the 
assortment of abbreviations that vvould result from the translation of “International Organi- 
zation for Standardization” into the different national languages of members. VVhatever the 
country, the short form of the organization”s name is always ISO. 


24 Information Security Policies, Procedures, and Standards 


ISO 17799 will provide the guidelines for security information management 
systems. Further, it promotes a managerial system for safeguarding information 
and its confidentiality and integrity. Registration will objectively demonstrate 
that a management system has implemented internationally recognized busi- 
ness controls for information security. 

The ISO 17799 standard discusses ten areas, and item number one is an 
information security bolicy. "The objective is to provide management direction 
and support for information security. Enterprise senior management should 
set clear direction and demonstrate its support for and commitment to infor- 
mation security through the issue of an information security policy across the 
entire enterprise. 

The U.S. Federal Sentencing Guidelines for Criminal Activities define exec- 
utive responsibility for fraud, theft, and anti-trust violations and establish a 
mandatory point system for U.S. federal fudges to determine appropriate 
punishment. Because much fraud and falsification of corporate data involves 
access to computer-held data, liability established under the guidelines extends 
to computer-related crime as well. What causes concern for many executives 
is that the mandatory punishment could apply to them even when intruders 
enter a computer system and perpetrate a crime. 

In addition to the mandatory scoring system for punishment, the guidelines 
also have an incentive for proactive cerime prevention. The requirement is for 
management to shovv “due diligence” in establishing an effective compliance 
program. There are seven elements that capture the basic functions inherent 
in most compliance programs: 


1. Establish policies, standards, and procedures to guide the vvorkforce. 

2. Appoint a high-level manager to oversee compliance vvith the policy, 
standards, and procedures. 

3. Exercise due care when granting discretionary authority to employees. 

4. Assure compliance policies are being carried out. 

5. Communicate the standards and procedures to all employees and 
others. 

6. Enforce the policies, standards, and procedures consistently through 
appropriate disciplinary measures. 

7. Establish procedures for corrections and modifications in case of vio- 
lations. 


3.2.6 Are There Other Reasons to Implement Policies? 


Information is a unique enough asset to vvarrant a written statement 
regarding its protection. Although there are legal and regulatory reasons 
to implement policies, standards, and procedures, the bottom line is that 
good controls make good business sense. Failing to implement controls 
can lead to financial penalties in the form of fines and costs. Such activities 
can lead to loss of customer confidence, competitive advantage, and 
ultimately, loss of business. By implementing proper controls, documenting 


Policy Development 25 


them in writing, and communicating them to all affected individuals and 
entities, the organization can realize real cost benefit by avoiding public 
criticism and saving time on the investigation and subsequent disciplinary 
process. 

Most importantly, only a written policy can be convincing in courts of law, 
customer contracts, vendor relations, acquisitions, and public relations. 


3.3 Policies Are Not Enough: A Preliminary Look 
at Standards, Guidelines, and Procedures 


A general program policy (GPP) is written at a broad level and, as such, will 
require supporting standards, procedures, and guidelines. Standards, proce- 
dures, and guidelines provide a clearer direction for employees, managers, 
and others by offering a more-detailed approach to implementing policy and 
meeting the business objectives or mission of the organization. 

A policy is not a specific and detailed description of the problem and each 
step that is needed to implement the policy. For example, a policy on requiring 
access control for remote users has exceeded its scope if there is a discussion 
about passwords, password length, password history, etc. Standards and 
guidelines (which are discussed in Chapter 5) specify technologies and meth- 
odologies to be used to secure systems. Procedures are the detailed steps 
required to accomplish a particular task or process. 

Enterprise standards specify a uniform suite of specific technologies, param- 
eters, or procedures to be used by those wishing to access enterprise resources. 
Enterprise standards should not be confused with British Standards 7799 (BS 
7799), the ISO 17799 (published in December 2000), the Australian-New 
Zealand 44 44 (ANZ 44 44), the Generally Accepted System Security Principles 
(GASSP), or other national or international documents. 

Enterprise guidelines are implemented to assist the user community, support 
personnel, and others in secure access to enterprise information and system 
resources. Guidelines, however, attempt to provide business units and others 
with alternatives to increase levels of control where deemed appropriate. 
Where a standard is mandatory, a guideline is a suggestion. 

Enterprise procedures normally assist with compliance to applicable poli- 
cies, standards, and guidelines. They are the detailed steps to be followed by 
users, support personnel, or others to accomplish a particular task. 

Many organizations issue overall information security manuals, regulations, 
handbooks, practices and procedures, or other similar documents. These 
documents are a closely linked mix of policy, standards, guidelines, and 
procedures. Although such documents serve as a useful tool, it is important 
to distinguish betvveen a policy and its implementation elements. Policy 
requires approval of management, vvhile standards, guidelines, and procedures 
can be modified as needed to support changing environments. Standards, 
guidelines, and procedures promote flexibility and cost-effectiveness by allovv- 
ing alternative approaches to the implementation process. 


26 Information Security Policies, Procedures, and Standards 


3.4 Policy, Standards, Guidelines, and Procedures: 
Definitions and Examples 


3.4.1 Definitions 


Policy — A policy is a high-level statement of enterprise beliefs, goals, 
and obiectives and the general means for their attainment for a specified 
subject area. 

Standards — Standards are mandatory activities, actions, rules, or regu- 
lations designed to provide policies vvith the support structure, and 
specific direction they require to be meaningful and effective. They are 
often expensive to administer and, therefore, should be used fudi- 
ciously. 

Guidelines — Guidelines are more general statements designed to achieve 
the policy obiectives by providing a framework within which to imple- 
ment procedures. VVhere standards are mandatory, guidelines are rec- 
ommendations. 

Procedures — Procedures spell out the specifics of hovv the policy and 
the supporting standards and guidelines will actually be implemented 
in an operating environment. 


3.4.2 Example 1 — Access to Company Information Is Restricted 


Policy: Access to company information systems is restricted to authorized 
users only. 

Standard: Users are required to have a unique UserID and a confidential 
password. 

Guideline: Passwords should be five to eight alphanumeric characters 

Procedure: UserID and password requests must contain a signature of 
the authorized information owner. Approval signatures shall be verified 
against the company Autborized Sisnatures Reference Manual. 


3.4.3 Example 2 — Custodians Should Provide a Safe and Secure 
Environment 


Policy: Information custodiaTrs are responsible for providing a safe and 
secure processing environment in which information can be maintained 
with integrity. 

Standard: Custodians of information processing systems must ensure that 
the system is free from destructive software elements (such as viruses), 
which would impair the normal and expected operation of the system. 

Guidelines: Where available, a virus prevention, detection, and recovery 
package should be installed. Employees with access to computer sys- 
tems should attend a training session on the virus threat to understand 


Policy Development 27 


Laws, Regulations, 
and Requirements 


Procedures, 
Practices 


Guidelines 


Exhibit 1 Policy Diagram 


the damage a virus infection can inflict and understand their personal 
responsibility for protecting their ovvn systems. 

Procedhures: Viruses are often transmitted through public-domain software. 
Software that is public domain (i.e., non-licensed software also called 
“sharevvare” or “freevvare”) or the employee”s personal property shall 
not be permitted on company equipment vvithout the explicit authori- 
zation of organization management and after being certified as virus-free. 

Employees are to turn off or lock up desktop systems at the end of 
the vvorkday to prevent unauthorized access and possible virus 
contamination. 

Employees are to use the “write protection” tabs on diskettes vvhen- 
ever possible. 

Employees are to report any type of unauthorized access, theft, or 
virus infection to the Information Protection group or the Help Desk 
upon discovery. 


3.5 Policy Key Elements 


To meet the needs of an organization, a good policy should: 


m Be easy to understand. As discussed in Chapter 2, it is important that 
the material presented meet the requirements of the intended audience. 
All too often, policies, standards, and procedures are written by subject 
matter experts and then given to a general-use audience. The material 
is often written at a college level when the average reading and 
comprehension level in the vvorkplace is that of a sixth grader (a 12- 
year-old). 

m Be apblicable. When creating policy, the writer may research other 
organizations and copy that document verbatim. Hovvever, it is impor- 
tant to ensure that whatever is written meets the needs of your specific 
organization. 


28 


3.6 


Information Security Policies, Procedures, and Standards 


Be doable. Can the organization and its employees still meet business 
obiectives if the policy is implemented? 1 have seen many organizations 
that have vvritten the ultimate security policy, only to find out that it 
vvas so restrictive that the mission of the organization vvas placed at risk. 
Be enforceable. Do not write a self-defeating policy. A policy may state, 
“Use of the company-provided telephone is for business calls only.” 
For most organizations, this may in fact be the policy, but almost every 
phone in the facility is used daily for personal calls. What might make 
a better policy is one that says, “Company-provided telephones are to 
be used for management-approved functions only.” This opens up some 
latitude and still meets the business need. 

Be pbased in. It may be necessary to allow the organization to read 
and digest the policy before it takes effect. Many organizations publish 
a policy and then require the business units to submit a compliance 
plan vvithin a specific number of days after publication. This provides 
the business unit managers a period of time to revievv the policy, 
determine vvhere their organization may be deficient, and then submit 
a timetable for compliance. These compliance letters are normally kept 
on file and are made available to the audit staff. 

Be broactive. State what has to be done. Do not get into the routine 
of making pronouncements — “Thou shalt not!!!!” Try to state what can 
be done and what is expected of the employees. 

Avoid absolutes. Never say never. Be diplomatic and understand the 
politically correct way to say things. When discussing sanctions for 
noncompliance, some organizations have stated, “Employees violating 
this policy will be subject to disciplinary sanctions up to and including 
dismissal without vvarning,” when the policy could better have stated 
something like, “Employees found in noncompliance vvith this policy 
vvill be deemed in violation of the Employee Standards of Conduct.” The 
Standards of Conduct state that employees vvill suffer disciplinary sanc- 
tions up to and including dismissal, Use the kinder, gentler approach. 
Meet business obfectives. Security professionals should remember that 
the controls must help the organization reach an acceptable level of 
risk. A 100 percent security program could mean zero percent produc- 
tivity. VVhenever controls or policy impact the business obiectives or 
mission of the organization, then the controls and policy will lose. Work 
to understand that the policy exists to support the business, not the 
other vvay around. 


Policy Format and Basic Policy Components 


The actual format (layout) of a policy will depend on what policies look like 
vvithin a specific organization. It is very important that any policy developed 
look like published policies from the organization. Some members of the 
review panel will be unable to read and critique the new policy if it does not 
look like a policy. 


Policy Development 29 


Policies are generally brief (in comparison to procedures and practices), 
usually not much more than a page or two of material. 


Information is an asset and the property of the organization. All employ- 
ees are responsible for protecting that asset from unauthorized access, 
modification, disclosure, or destruction. 


When creating policies, it is helpful to understand that there are generally 
three types of policies that will be used during the development of a security 
document: 


3. 


3.6.1 


General policy — This is used to create the overall information security 
vision of an organization. 

Tobic-sbecific policies — These address specific topics of concern. There 
will normally be a topic-specific policy for each section of an informa- 
tion security document. 

Appblication-sbecific policies — These focus on decisions taken by 
management to protect particular applications or systems. 


Program Policy 


Senior management is responsible for issuing a program policy to establish 
the information security policy of the organization and its basic construction. 
This high-level policy defines the intent of the information security program 
and its scope vvithin the organization. It also assigns responsibilities for 
implementation and compliance vvith the policy. 

The components of a program policy should include: 


m 7Tobic — The topic portion of the policy normally defines the goals of 


the program. When discussing information, most program policies 
concentrate on protecting the confidentiality, integrity, availability, and 
authenticity of the information resources. Additionally, it will attempt 
to establish that information is an item of value to the enterprise and, 
as such, must be protected from unauthorized access, modification, 
disclosure, and destruction, vvhether accidental or deliberate. 
Scope — The scope is a way to broaden or narrow the topic, such as 
“all information wherever stored and however generated.” This could 
expand the topic on information security, vvhereas a statement like 
“computer-generated data only” would sharply narrow the topic scope. 
The scope statement can also broaden or narrovv the audience affected 
by the policy. For example, the statement, “the policy is intended for 
all employees,” pretty much takes in all of the people vvorking for the 
enterprise, vvhereas, “that personnel vvith access to top-secret informa- 
tion” would limit the audience. 


m Fesbonsibilities — Typically, this section of the policy identifies three 


or more specific roles and their responsibilities. The first role discussed 
is that of management and it is typically charged with implementing 


30 Information Security Policies, Procedures, and Standards 


and supporting the program. Employees are responsible for adherins 
to the policy and reporting any suspected problems to management. 
The policy could also establish an office responsible for day-to-day 
administration of the policy. 
m Combliance — The policy will generally discuss two issues regarding 
compliance: 
a. Who is responsible for ensuring compliance to the policy objectives. 
Two specific groups are usually identified: 
i. First-line supervision and its role in monitoring employee activ- 
ities 
i. The internal audit staff and its responsibility to conduct formal 
reviews 
b. What happens when the policy is violated. When developing and 
implementing the policy, keep in mind that violations of the policy 
may be unintentional. The violation could be a result of lack of 
training and awareness. Therefore, it will be necessary to establish 
a review process for each violation case-by-case, as opposed to 
creating mandatory sanctions. Allow management some leeway when 
reviewing problems. 


3.6.2 Topic-Specific Policy 


In each section of the procedure document, the material begins vvith the policy 
statement of the organization. Unlike the program policy, the topic-specific 
policy narrovvs the focus to one issue at a time. Hence, vve discuss creating 
a procedure document to support the policy statement. Tt vvill be in this 
document or, in some cases, in stand-alone policies vvhere this approach vvill 
be used. 

The basic components of a topic-specific policy include the follovving: 


m 7T?esis statement — To establish a policy on a specific topic, the writer 
must intervievv management and determine the relevant issues to be 
addressed. As in the tent section of the program policy, the goals 
and obiectives of the policy should be identified. 

m Relevance — The topic-specific policy also needs to establish to whom 
the policy applies. In addition to whom, the policy will want to clarify 
vvhere, hovv, and vvhen the policy is applicable. Is the policy only 
enforced vvhen employees are in the vvork-site campus or vvill it extend 
to off-site activities? 

m Kesbonsibilities — "The establishment of roles and responsibilities is 
usually included in the topic-specific policy. When responsibilities are 
documented in a policy or procedure, it is always best to identify the 
position or job title rather than an individual by name. Job functions 
are usually more permanent than people. 

m Compliance — Here it may be appropriate to describe in some detail 
the behavior that is unacceptable and the consequences of that behavior. 
The responsibility for monitoring compliance should also be identifted. 


Policy Development 31 


m Additional information — For a topic-specific policy, a list that iden- 
tifles individuals (by fob title) and departments that the user can contact 
for additional information should be made available. Where to obtain 
copies of associated procedures should also be included. 


3.6.3 Application-Specific Policy 


Program-level and topic-specific policy both address policy from a broad 
level, they usually encompass the entire enterprise. The application-specific 
policy focuses on one specific system or application. As the construction of 
security architecture for an organization takes shape, the final element vvill 
be the translation of program and topic-specific policies to the application 
and system levels. 

Many security issue decisions apply only at the application or system level. 
Some examples include: 


m Who has the authority to read or modify application data? 
m Under what circumstances can data be read or modified? 
m How is remote access to be controlled? 


To develop a comprehensive set of system security policies, use a process 
that determines security rules (policy) based on business and mission 
obiectives. 


m Define the business obiectives, then establish which security tools will 
support those obiectives. 

m Establish the rules for operating the application or system. Determine 
who has access to what resources and when. 

m Determine if automated security tools can help administer the policy. 


3.7 Policy Content Considerations 


A policy document should be approved by management, published, and 
communicated, as appropriate, to all employees. It should state management 
commitment and set out the organization”s approach to managing information 
security. As a minimum, the follovving guidance should be included: 


m A definition of information security, its overall obfectives and scope, 
and the importance of security as an enabling mechanism for informa- 
tion sharing 

m A statement of management intention, supporting the goals and prin- 
ciples of information security 

m A brief explanation of specific security policies, standards, and com- 
pliance requirements, including: 

Compliance with legislative and contractual requirements 
Security awareness and education requirements 


32 Information Security Policies, Procedures, and Standards 


Prevention and detection of viruses and other malicious software 
Business continuity plannins 
Consequences of security policy violations 
m A definition of general and specific responsibilities for information 
security management, including security incident reporting 
m References to documentation that may support the policy, e.g., more 
detailed security policies and procedures for specific information sys- 
tems and security rules with which users should comply 


This policy should be communicated throughout the enterprise in a form 
that is relevant, accessible, and understandable to the intended reader. 


3.8 Program Policy Examples 


The following are actual program policy statements for information security. 
As you read through them, examine them for the key element structure: 


m Topic 

m Scope 

m Responsibilities 
Senior management 
Line management or supervision 
Employee 

m Compliance 
Business unit noncompliance 
Employee noncompliance 


We examine a number of actual information security policy statements. As 
we examine each one, please use the above four items as a checklist to 
determine the completeness of each policy. 


3.8.1 Example 1 — A Utility Company 


Information is a valuable corporate asset. Business continuity is heavily depen- 
dent upon the integrity and continued availability of certain critical information 
and the means by vvhich that information is gathered, stored, processed, 
commuhnicated, and reported. As such, steps will be taken to protect informa- 
tion assets from unauthorized use, modification, disclosure, or destruction, 
whether accidental or intentional. 

The protection of these assets is a basic management responsibility. Employ- 
ing officers are responsible for: 


m Identifying and protecting computer-related information assets within 
their assigned area of management control 

m Ensuring that these assets are used for management-approved purposes 
only 


Policy Development 33 


m Ensuring that all employees understand their obligation to protect these 
assets 

m Implementing security practices and procedures that are consistent with 
the Company Information Asset Security Manual and the value of the asset 

m Noting variance from established security practice and for initiating 
corrective action 


Example 1 addresses the checklist as follows: 


m 7Tobic — “Information is a valuable corporate asset.... As such, steps 
will be taken to protect information....” 

m Resbonsibilities — “The protection of these assets is a basic management 
responsibility.” 

m Scope — “Ensuring that all employees understand their obligation to 
protect these assets.” 

m Combliance — “Noting variance from established security practice and 
for initiating corrective action.” 


This policy is a good start. Hovvever, the topic is vague, and that is not 
acceptable. The most important soal of any writing is to quickly identify the 
topic. Without the title, we have only a vague idea of where the document 
is leading us. 

There are key points to remember when writing or editing a policy or 
procedure. Every enterprise has a specific way of identifying itself in print. 
Make certain that you find this information and use only the accepted forms. 
For example, General Motors Corporation might be referred to as GMC. 
Hovvever, GMC is a division of General Motors. The accepted forms of 
reference to the entire corporation are General Motors or GM. 

When identifying levels of management, most organizations have estab- 
lished a scheme for how differing levels are referred to in print. Normalily, 
Management, with an uppercase M, refers to senior management and lovver- 
case management refers to line management or supervision. 

In the policy above, the vvriter referred to the “employing officer.” For 
many enterprises, an officer is the most senior level of management. Officers 
may rank up there with the board of directors. The Chief Executive Officer, 
Chief Financial Officer, etc. are examples of this level of management. It is 
pretty safe to assume that the writer was not intending for such a high-ranking 
individual to be involved in this policy. 


3.8.2 Example 2 — A Medical Service Organization 


The Medical Service Association shall provide an appropriate level of security to: 


m Maintain the reliability, integrity, and availability of its assets 

m Prevent and detect misuse 

m Protectinformation assets against unauthorized modification, disclosure, 
or destruction (whether accidental or intentional) 


34 Information Security Policies, Procedures, and Standards 


m Satisfy legal and contractual requirements for security 

m Provide enforcement and recovery guidelines (including insurance cov- 
erage) for instances when a compromise of security is detected 

m Protect and provide a secure and safe work environment for its employees 


Expenditures for security generally shall not exceed the value of the asset 
being protected. 

The Management Analysis Department's Security Unit shall be the central 
authority for developing, monitoring, and enforcing association-vvide policies, 
procedures, and guidelines. 

Management of each department shall be responsible for: 


m Ensuring adherence to all Association security policies, procedures, and 
guidelines 

m Continually assessing the department s specific security risk 

m Developing and maintaining a disaster recovery plan that both defines 
and protects department assets from unauthorized access and ensures 
their recovery from any misuse or destruction by human or natural means 

m Providing adequate security training of department personnel based on 
the Association Security Training Plan 


All new product or system development shall include adequate security 
internal control, and disaster recovery elements. 

Any use of Association assets for other than their intended purpose is 
considered a misuse and is a violation of this policy. 

Violations or suspected violations of any Association policy or procedure 
must be reported immediately to department management and the Association 
Security Officer or his appointed representative(s). Violators may be subject 
to immediate disciplinary action up to and including termination of employ- 
ment and criminal prosecution, if appropriate. 


Example 2 addresses the checklist as follovvs: 


m T7Tobic — Eventually the policy establishes that the “Association shall 
provide an appropriate level of security ... of its assets ... and protect 
information assets....” 

m Fesbonsibilities — The policy does establish that “Management of each 
department shall be responsible....” and then lists a number of items. 

m Scope — The policy does not seem to establish whether this is Asso- 
ciation-vvide, the scope of the policy is not clear. 

m Combliance — The policy does establish that “Management ... is 
responsible for ... ensuring adherence to all Association security poli- 
cies, procedures, and guidelines.” 


This policy meets most of the checklist guidelines, but it misses some others 
and then adds pieces of information, such as the discussion on expenditures, 
that probably belong somewhere else. Again, a strong topic sentence is missing. 


Policy Development 35 


You need the attention of readers; the place to get them hooked is the first 
sentence. Sell the policy in the opening sentence. The policy does make a 
strong statement about what can occur if noncompliance is found. 


3.8.3 Example 3 — A Power Company 
Policy Statement 


It is the policy of the Power and Light Company to protect all company 
information from disclosures that would violate company commitments to 
others or would compromise the competitive stance of the company. 


Employee Responsibilities 


Employee responsibilities are defined in Company Procedure AUT 15. Viola- 
tions of these responsibilities are subject to appropriate disciplinary action up 
to and including discharge, legal action, and having the matter referred to law 
enforcement agencies. 


Example 3 addresses the checklist as follows: 


m 7Tobic — The policy statement establishes that “company information 
. that would violate company commitments ... or compromise ... 
competitive stance...” must be protected. 
m Resbonsibilities — The policy does establish “employee responsibilities.” 
m Scope — Here the policy makes a mistake in the first section, the policy 
actually narrovvs the scope of the material to be protected by stating 
that “company information ... that would violate company commitments 
. Or compromise ... competitive stance....” This statement in fact 
narrovvs the overall policy direction. 
m Combliance — Straight out: you violate, you pay the penalty. 


Although this policy does meet one of the main requirements of a policy — 
that it be brief, it appears to be too brief. Some very important elements are 
left out, especially vvhat role management vvill play in this policy and hovv 
compliance vvill be monitored. The policy also seems to exclude information 
about personnel. 

The opening sentence discusses the “policy” of the company. The document 
vvas drafted as a policy statement, so it is not necessary to add the term 
“policy” to the text. Let the vvords establish vvhat the policy is. 


3.8.4 Example No. 4 —A Manufacturing Company (international) 
Basic Policies 


The Company relies heavily on various kinds of information resources in 
its daily operations. These resources include data-processing systems, 


36 


Information Security Policies, Procedures, and Standards 


electronic mail, voice-mail, telephones, copiers, facsimile machines, and 
other information-generation and exchange methods. It is very important 
for users to recognize that these resources are made available to them to 
help the company meet short- and long-term goals, obfectives, and com- 
petitive challenges. Any improper use of any resource is not acceptable 
and vvill not be permitted. 

The company policies listed here form the basis for the Information 
Resources Protection Policy (IRPP): 


10. 


11. 


Data and information about the operation of the company and its 
employees are collected and retained only to satisfy legitimate business 
purposes or as required by lavv. 

Protecting company information is every employee”s responsibility. 
Company people share a common interest in ensuring information is 
not intentionally, accidentally, or improperly disclosed, lost, or mis- 
used. 

Positive steps must be taken to prevent improper disclosure of com- 
pany information and unauthorized access to company information 
resources. 

Data, information, and processing resources are company assets that 
may be used only for management-approved company Dusiness pur- 
poses and not for personal or any other kinds of use of gain. 

Like any company asset, the company reserves the right to inspect 
information resources and their use at any time. 

Company records and information are available to individuals only on 
a need-to-knovv basis. Access or attempted access to information and 
the use of information resources outside one”s authority are prohibited. 
Established corporate and unit procedures are to be used for budgeting, 
approval, and acquisition of information-processing facilities, equip- 
ment, softvvare, and support services. 

Protective measures must be provided to control access and to protect 
the integrity of all information systems that process information. 
Appropriate safeguards must be built into information-processing facil- 
ities. These safeguards should minimize the extent of loss of information 
or processing support that could result from such hazards as fire, water, 
or other natural disasters vvhile maintaining operational effectiveness. 
Business recovery plans must provide for a continuation of vital busi- 
ness functions if loss failure should occur. 

Independent reviews to ensure that program objectives are being met 
are an integral part of this effort. These reviews may be conducted by 
Corporate Auditing, the internal audit staff of a unit, or external auditors. 
Deliberate unauthorized acts against Company or customer automated 
information system(s) or facilities, including but not limited to misuse, 
misappropriation, destruction of information or system resources, the 
deliberate and unauthorized disclosure of information, or the use of 
unauthorized software/hardware, will result in disciplinary action as 
deemed by management. 


Policy Development 37 


Example 4 addresses the checklist as follows: 


m Topic — Items 4, 5, and 8 can be used and modified to form the text 
of what is to be protected. 

m Resbornsibilities — Item 2 seems to address this issue. 

m Scope — The policy identifles “users” but does not relate this term to 
actual employees. 

m Compliance — Item 10 addresses formal review. 


Basically, this is a good policy. It can be improved by moving the bis- 
ticket items to the top. Whenever a policy is developed, begin with what 
the topic to be discussed is all about. Lead with this information in the first 
sentence. 


3.8.5 Example 5 — An Insurance Company 


Business information is an essential asset of the Company. This is true of all 
business information within the Company, regardless of how it is created, 
distributed, or stored and whether it is typed, handwritten, printed, ñlmed, 
computer-generated, or spoken. 

All employees are responsible for protecting corporate information from 
unauthorized access, modification, duplication, destruction, or disclosure, 
whether accidental or intentional. This responsibility is essential to Company 
business. When information is not well protected, the Company can be 
harmed in various ways, such as significant loss to market share and a 
damaged reputation. 

Details of each employee's responsibilities for protecting Company infor- 
mation are documented in the Information Protection Policies and Standards 
Manual. Management is responsible for ensuring that all employees understand 
and adhere to these policies and standards. Management is also responsible 
for noting variances from established security practices and for initiating 
corrective actions. 

Internal auditors will perform periodic reviews to ensure ongoing com- 
pliance with the Company information protection policy. Violations of this 
policy will be addressed as prescribed in the Human Resource Policy Guide 
for Management. 


Example 5 addresses the checklist as follows: 


m 7opbic — Paragraph 1 addresses this issue. 

m Kesbonsibilities — Paragraph 2 addresses employee responsibilities and 
paragraph 3, sentence 2 establishes the management role. 

m Scope — Paragraph 1 addresses the scope of the policy. 

m Combliance — Paragraph 3 refers employees to a company document 
that provides more detail on the responsibilities. Paragraph 4 establishes 
the formal revievv process. 


38 Information Security Policies, Procedures, and Standards 


I like this policy. It is clear, crisp, and concise. However, it needs work. 
There is too much ¿by the policy was developed in it. I like policies to stick 
to the facts and not add information that is not relevant to the actual policy. 

Also, the first line of the fourth paragraph actually limits who can perform 
a review of the policy compliance levels. The policy specifically identifies the 
internal audit staff as having this responsibility. Technically speaking, no other 
entity can perform a review task. So be careful with your words. They can 
and will be used against you at a later time. 

Appendix B has additional program policy statements. The next section 
contains examples of topic-specific policy statements. 


3.9 Topic-Specific Policy Examples 


The following topic-specific policies address various areas of concern. Notice 
whether the basic components — thesis statement, relevance, responsibilities, 
compliance — and additional information are included. 


3.9.1 Example 1 — Internet Security Policy 


introduction 


The Company, through the Internet, provides computing resources to its staff 
to access information, communicate, retrieve, and disseminate organization and 
business-related information. Use of the public Internet by Company employees 
is permitted and encouraged vvhere such use is suitable for business purposes 
in a manner that is consistent vvith the Company standards of business conduct 
and as part of the normal execution of an employee”s job responsibilities. In 
addition, the Company provides intranet facilities as a means of sharing timely 
organization and business-related information throughout the company. 

As vvith all Company policies, this policy applies to all employees, con- 
tractors, consultants, as vvell as any other individuals utilizing the Company- 
provided Internet connection. 


Policy Objectives 


The Internet Security Policy has been implemented to: 


m Provide direction for the protection of Company-owned and controlled 
information assets. 

m Establish standards for providing desktop access to the Internet. 

m Identify safeguards to enable the exchange of Company information 
with other Internet users while protecting the business interests of the 
Company and the privacy right of the employees. 

m Identify enterprise responsibilities in regard to local, state, federal, or 
international regulations and laws governing electronic information 
exchange and commerce. 


Policy Development 39 


Internet Access Standards 


m The use of Company-provided access to the Internet is intended exclu- 
sively for management-approved activities. 

m All access to the Internet by employees must be done through the 
Company-provided method. 

m All publications/content files not classified as PUBLIC in accordance 
with the Company Information Classification Policy, must be approved 
by Corporate Communications. 

m All business cases for Internet initiatives must be submitted to ES 
Network Control and ES Information Security. 

m Company Internet users must report all security-related incidents to 
appropriate management upon discovery. 

m Company policies regarding Employee Standards of Conduct, Conflict 
of Interest, Company Ethics Policy, Equal Employment Opportunity and 
Diversity in the Workplace, Communication and Information Protection 
also apply to the Internet. 

m Employees must submit a completed Imternet Usage and Resbonsibility 
Agreement prior to Company-provided Internet access (Exhibit 2). 


Exhibit 2 Internet Usage and Responsibility Agreement 


Internet Usage and Responsibility Agreement 


L acknovvledge and understand that access to the Internet, as 
provided by the Company, i is for Management approved use only. This supports Company 
policies on Standards of Conduct and Equal Employment Opportunity and Diversity, and 
among other things, prohibits the dovvnloading of games, viruses, inappropriate materials 
or picture files, and unlicensed softvvare from the Internet. 


I recognize and accept that while accessing the Internet, | am responsible for 
maintaining the highest professional and ethical standards, as outlined in Company 
policy on Standards of Conduct. 


I have read and understand the Company policies mentioned above and accept my 
responsibility to protect the Company”s information and good name. 


Name Date 


3.9.2 Example 2 — A Telecommuting Policy 
Policy 


The Company allows telecommuting where there are opportunities for 
improved employee performance, reduced commuting miles, and/or potential 
for savings for the Company or business unit. 


40 Information Security Policies, Procedures, and Standards 


Provisions 


Business Units may implement telecommuting as a work option for certain 
employees based upon specific criteria and procedures consistently applied 
throughout the agency. Business Units opting to implement a telecommuting 
policy for their departments shall ensure that each employee request is 
considered in relation to the departmental operating requirements and cus- 
tomer needs. 


m Consideration may be given to employees who have demonstrated 
work habits and performance well suited to successful telecommuting. 

m 'Telecommuting criteria and procedures shall be evaluated to ensure its 
benefits and effectiveness. 


The telecommuter s conditions of employment shall remain the same as 
for non-telecommuting employees. Employee salary, benefits, and employer- 
sponsored insurance coverage shall not change as a result of telecommuting. 


m Business visits, meetings with Your Company customers, or regularly 
scheduled meetings with co-workers shall not be held at the home 
worksite. 

m Telecommuting employees shall not act as primary caregivers for depen- 
dents nor perform other personal business during hours agreed upon 
as vvork hours. 

m Tele-vvorksites shall be in the same state as the central vvorksite. 


The Company shall provide tele-vvorksite office supplies. Equipment and 
softvvare, if provided by the business unit for use at the tele-vvorksite, shall 
be for the purposes of conducting Company business. 

The telecommuter shall normally provide home vvorksite furniture and 
equipment. The employee shall maintain a clean, safe vvorkspace. In the case 
Of injury occurring during telecommuting work hours, the employee shall 
immediately report the iniury to the supervisor. 


Responsibilities 


Employees shall sign and abide by a telecommuting agreement betvveen the 
employee and the supervisor. A model agreement, an addendum to this policy, 
may require modification to fit individual tele-vvorksite circumstances 
(Exhibit 3). 


m Telecommuting shall be voluntary. Unless otherwise provided in the 
agreement, either the Business Unit or the employee may discontinue 
the arrangement at any time, generally giving one vveek”s notice. 

m The agreement shall specify individual work schedules. 


Policy Development 41 


Exhibit 3 Model Telecommuting Agreement 


MODEL TELECOMMUTING AGREEMENT 


TELE-WORKSITE 
Travel between the tele-worksite and the central worksite shall not be reimbursed. 
— Home (Specify location in home) 


— Satellite 

— Other (Specify) 
Address: 

Phone: 


CENTRAL VVORKSITE 
Will there be any sharing of or changes in work space when telecommuting begins? 
— Yes. No 


If yes specify: 


SCHEDULE 
Telecommuting days: Mon. Tue. Wed. Thur. Fri. 


If telecommuter must come into the office on a scheduled telecommuting day, may 
another day be substituted? Yes No 


Telecomutting time: Start Finish Total Hours Per Day 
Lunch to 


EQUIPMENT 

The Company is not responsible for any private property used, lost, or damaged. 
The Company may pursue recovery from the employee for property that is 
deliberately or negligentİy damaged or destroyed while in the employees care, 
custody, or control. The Company is responsible for the deductible on Company 
property unless othervvise specified in this agreement under OTHER 
ARRANGEMENTS. Employees are advised to contact their insurance agent and a tax 
consultant for information regarding home vvorksites. 


İn the event of equipment failure, the employee may be assigned to another project 
and/or vvork location. The employee shall surrender all Company-ovvned 
equipment and data documents immediately upon request. 


VVhat equipment vvill be used? 


TEM. ə INVENTORY NO. ------------------- OWNER 

(list) 

Will there be a modem connection to a state LAN or mainframe? Yes. No 
Is there any other computer security issue? Yes No 


(continued) 


42 Information Security Policies, Procedures, and Standards 


Exhibit 3 Model Telecommuting Agreement (continued) 


If yes to either question, has advice been obtained from Information 
Protection? Yes No 


COMMUNICATION 
VVill the follovving be utilized: 
Call forvvarding? — Yes No 


Ansvvering machine or voice mail? Yes No 
Receptionist or co-vvorkers take calls? Yes No 


How will incoming calls to the central vvorksite be ansvvered on telecommuting 
days? 

The employee agrees to call the office to obtain messages at least times a day. 
Call in times: (list) 


The employee shall promptly notify the supervisor when unable to perform work 
assignments due to equipment failure or other unforeseen circumstances. 


Other procedures: (list) 


ARRANGEMENTS 

Date telecommuting to begin: 

Intervals for telecommuting agreement review: 

Agency policy for payment of business telephone and data calls from the tele- 
worksite: (attach) 


The employee and supervisor plan to participate in ODOE-sponsored training and 
assistance? 


TERMINATION 
Unless specified in OTHER ARRANGEMENTS, the Company and/or employee may 
discontinue this arrangement at anytime generally giving one week's notice. 


OTHER ARRANGEMENTS 
Additional conditions agreed upon by the employee and supervisor: (list) 


I have read and understand both the telecommuting policy and this agreement 
and agree to abide by and operate in accordance with their terms and conditions. 
l agree that the sole purpose of this agreement is to regulate telecommuting and 
that it neither constitutes an employment contract or an amendment to any 
existing contract. 


Employee Supervisor Date 


Policy Development 43 


Compliance 


Company management has the responsibility to manage corporate information, 
personnel, and physical property relevant to business operations, as well as 
the right to monitor the actual utilization of all corporate assets. 

Employees who fail to comply with the policies will be considered to be 
in violation of Your Company”s Employee Standards of Conduct and will be 
subject to appropriate corrective action. 


3.933 Example 3 — Information Classification 
Policy 


Information is a company asset and is the property of the Your Company. 
Your Company information includes information that is electronically gener- 
ated, printed, filmed, typed, stored, or verbally communicated. Information 
must be protected according to its sensitivity, criticality, and value, regardless 
of the media on which it is stored, the manual or automated systems that 
process it, or the methods by which it is distributed. 


Provisions 


To ensure the proper protection of corporate information, the Owner shall 
use a formal review process to classify information into one of the follovving 
classifications: 


m Public: Information, that has been made available for public distribution 
through authorized company channels. (Refer to Communication policy 
for more information.) 

m Confidential: Information, that, if disclosed, could violate the privacy 
of individuals, reduce the competitive advantage of the company, or 
could cause significant damage to Your Company. 

m Jnternal Use: Information, that is intended for use by employees when 
conducting company business. Most information used in Your Company 
would be classified Internal Use. 


Declassification 


The Owner is to establish a review process for all information classified as 
Confidential, and reclassify it when it no longer meets the criteria established 
for such information. 


Responsibilities 


Employees are responsible for protecting corporate information from unau- 
thorized access, modification, destruction, or disclosure, whether accidental 
or intentional. To facilitate the protection of corporate information, 


44 Information Security Policies, Procedures, and Standards 


employee responsibilities have been established at three levels: Ozoner, 
Custodian, and User. 


1. Oumer: Your Company management of an organizational unit, depart- 
ment, etc. where the information is created, or that is the primary user 
of the information. Owners are responsible to: 

a. Identify the classification level of all corporate information within 
their organizational unit. 

b. Define and implement appropriate safeguards to ensure the confi- 
dentiality, integrity, and availability of the information resource. 

c. Monitor safeguards to ensure their compliance and report situations 
of noncompliance. 

d. Authorize access to those who have a business need for the information. 

e. Remove access from those who no longer have a business need for 
the information. 

2. Custodian: Employees designated by the Owner to be responsible for 
maintaining the safeguards established by the Owner. 

3. User: Employees authorized by the Owner to access information and 
use the safeguards established by the Owner. 


Compliance 


Company management has the responsibility to: 


m Manage corporate information, personnel, and physical property rele- 
vant to business operations, as well as the right to monitor the actual 
utilization of all corporate assets. 

m Ensure that all employees understand their obligation to protect com- 
pany information. 

m Implement security practices and procedures that are consistent with 
Your Company policies and the value of the asset. 

m Note variance from established security practice and for initiating cor- 
rective action. 


Employees who fail to comply with the policies will be considered to be in 
violation of Your Company Embloyee Standards of Conduct and will be subject 
to appropriate corrective action. 


3.10 Additional Hints 


To have even the slightest hope of success, the policy must receive some level 
of visibility. Visibility takes a number of forms. The first, and probably most 
important form, will be management support. The issue of information security 
is not contained within the information systems organization. It is an enterprise- 
wide concern, and so any policy relating to the protection and security of 
organization information must come from the highest possible level within the 


Policy Development 45 


enterprise. Begin early to develop strategies to gain management and employee 
support. Formulate a plan, in writing, on how to get senior management support. 
A written plan will foster a clear understanding of what you intend to do and 
how you plan to accomplish it. Your plan should identify key individuals or 
groups that might impact your success and should include a timetable for when 
essential activities or tasks will be accomplished. If the policy will be submitted 
to a formal committee for approval, begin early to solicit feedback from individual 
members of that group. Pay attention to individual concerns and work to reconcile 
any potential conflicts as the policy is developed. The idea is to provide individual 
decision-makers an opportunity to see and participate in the development of the 
policy before it is formally submitted to the approving-committee as a whole. It 
is much easier to sell a policy to those that helped create it. 

As discussed in Chapter 9, a communication plan is necessary to take the 
message policy and all of its ramifications to the employees. This plan should 
include an employee awareness program. The program should include all 
existing employees and incoming new hires. If the organization desires to 
have contract personnel be compliant vvith the policies, then this must first 
be negotiated through the language of the contract. It is permissible to include 
contract personnel in the list of those vvho must comply vvith the policy, 
hovvever, the actual compliance agreement must be included in the language 
of the purchase order and the contract. 


3.11 Topic-Specific Policy Subjects to Consider 


The ISO 17799 standard has identified a number of policies that every 
organization should consider. The following is a summary of those recom- 
mendations. Appendix A contains a Policy Baseline Checklist to assist you in 
your development process. 

Remember that the ISO standards are really guidelines. That is, the listed topics 
should be considered, though not necessarily included, in your policy statement 


3.11.1 Topic-Specific Policies 


1. Security policy 
Information security policy 

2. Security organization 
Information security infrastructure 
Security of third-party access 

3. Assets classification and control 
Accountability for assets 
Information classification 

4. Personnel security 
Security in fob definition and resourcing 
User training 
Responding to incidents 


46 Information Security Policies, Procedures, and Standards 


5. Physical and environmental security 
Secure areas 
Equipment security 
6. Computer and network management 
Operational procedures and responsibilities 
System planning and acceptance 
Protection from malicious software 
Housekeeping 
Netvvork management 
Media handling and security 
Data and software exchange 
7. System access control 
Business requirement for system access 
User access management 
User responsibilities 
Netvvork access control 
Computer access control 
Application access control 
Monitoring system access and use 
8. Systems development and maintenance 
Security requirements of systems 
Security in application systems 
Security in application system files 
Security in development and support environments 
9. Business continuity planning 
Aspects of business continuity planning 
10. Compliance 
Compliance vvith legal requirements 
Security revievvs of TT systems 
System audit considerations 


3.12 An Approach for Success 


Effective policy statement is not an oxymoron. If properly drafted, a policy 
statement can actually improve productivity rather than add to organizational 
overhead. The follovving is a ten-step approach to help improve the likelihood 
of having a successful policy implementation process. 


1. Reuieto existing policies — Before writing a new policy, review what 
already exists. It is easier to update an existing policy than it is to gain 
acceptance of a totally new concept. 

2. Make tbe business objectiues or mission of tbe organization an active 
part of tbe bolicy — There is a reason that policies are created, and 
that is to support the activities of the enterprise. To help gain accep- 
tance, use the language in your organization”s “Shared Beliefs” or 
“Corporate Vision” in the policy statement. 


Policy Development 47 


3. Make policies look like policies — Take the time to ensure that whatever 
is created looks like existing policies. All to often the message gets lost 
because the format is unfamiliar. Save your development team some 
grief and research the policy format of your organization. 

4. Watcb out for grammar and spelling — The vvorst thing that you can 
do is sending out a draft document that has not been edited for spelling 
and grammar. Show the user community that proper care has been 
taken, by looking out for the “little” things, the chances of success will 
be increased. 

5. Sirecamline tbe language — Most advanced writing courses have the 
students explore all the elements of language, painting pictures through 
the use of prose. Although that may be effective in a class in vvriting 
fiction, it vvill not help in a policy document. 

6. 100 Percent securily is not attainable — Be realistic in your policy 
implementation. The most secure computer system is one that is turned 
Off, locked avvay, and unplugged. A computer in this condition is secure, 
but productivity is probably going to be impacted. Seek out an accept- 
able level of security. 

7. Remember tbe audience — VVhenever writing, remember who you are 
writing for. The majority of the readers will not be technical or security 
professionals. Ensure that the vvords are understandable. 

8. Sell tbe policy prior to introduction — We discuss this point in a later 
section, for novv, remember that senior management must be fully 
aware of the policy and understand how it applies to the organization 
before it is submitted for approval. 

9. Keep tbe message brief — Long-vvinded or complicated policies lead to 
trouble. Keep the policy as simple as possible. This vvill permit a limited 
variation on interpretation; and because it is brief, there will be a better 
chance that someone vvill actually read the policy. 

10. Take tbe message to tbe people — Be prepared to develop employee 
awareness programs for the implementation of the policy. 


3.13 Additional Examples 
3.13.1 Example 1 — Information Protection Policy for QXZ 


Information is an essential asset of QXZ. All information created in support 
of the business process, whether it is computer generated, manually produced, 
or spoken, is the property of QXZ. To ensure that business obifectives and 
customer confidence are maintained, all associates have a responsibility to 
protect information from unauthorized access, modification, disclosure, and 
destruction, whether accidental or intentional. 

Senior management and the officers of OXZ are required to employ 
internal controls designed to safeguard company assets, including business 
information. It is a management obligation to ensure that all associates 
understand and comply with the QXZ security policies and standards as well 


48 Information Security Policies, Procedures, and Standards 


as all applicable laws and regulations. Associate responsibilities for protecting 
OQXZ information are detailed in the Information Protection Policies and 
Standards. 

QXZ management has the responsibility to manage corporate information, 
personnel, and physical property relevant to business operations, as well as 
the right to monitor the actual utilization of all corporate assets. Associates 
who fail to comply with this policy will be considered to be in violation of 
the QXZ Code of Corporate Responsibility and will be subject to appropriate 
corrective action. 


Responsibilities 


m Managers shall develop and administer an information protection pro- 
gram that appropriately classifles and protects corporate information 
under their control and makes employees avvare of the importance of 
information and methods for its protection. 

m The Corporation should provide the highest level of visibility and 
support for the philosophy of protection and also provide a focal point 
for solving information protection problems. 

m Employees shall protect corporate information from unauthorized 
access, modification, duplication, destruction, or disclosure. 

m Information providers shall authorize access to only those with a 
genuine business need. 


3.13.2 Example 2 — Hospital Information Classification Policy 
Preamble 


It is a long-standing value that information be shared subject to privacy 
and confidentiality requirements, this reflects the fact that information is a 
unique resource that increases rather that dissipates when it is used. 
Consistent vvith this principle, Hospital University along vvith Hospital 
Healthcare (hereafter referred to as “Hospital”) seek to provide appropriate 
access to Hospital information among its employees, students, faculty, 
physicians, contractors, vendors, volunteers, and other agents (hereafter 
referred to as “Hospital staff”). Access to Hospital information, hovvever, 
carries vvith it the responsibility to protect confidentiality and integrity. To 
enhance access to Hospital information, this policy sets forth rules for its 
handling and use. 


Purpose 


To establish Hospital”s policy for the use, protection, and preservation of all 
information, in any form, vvhich is generated by, ovvned by, or othervvise in 
the possession of Hospital, including all administrative, clinical, and academic 
information (“Hospital Information”). 


Policy Development 49 


Information Access Policy Statement 


Hospital Information is one of the most valuable assets of Hospital and must, 
therefore, be safeguarded by all agents representing Hospital. Unless otherwise 
stated in writing, all Hospital Information is considered confidential. 

Hospital staff, as either information providers or information users, that inten- 
tionally and without proper authorization (1) access or disclose confidential 
Hospital Information or (2) modify or destroy Hospital Information, are in direct 
violation of the Hospital Information Access Policy. Such violations may lead to 
disciplinary action by Hospital up to and including dismissal from Hospital. Under 
certain circumstances, such violations may give rise to civil and/or criminal liability. 

The Hospital University Information Access Review Board and the Hospital 
Healthcare Professional Services Committee maintain oversight responsibility 
for this policy. Comprising key information custodians or their delegates, these 
groups are charged vvith custody of Hospital Information. The Hospital Uni- 
versity Information Technology Division and Hospital Healthcare Information 
Services provide access to information and implement security, as authorized 
by the Hospital University Information Access Review Board and the Hospital 
Healthcare Professional Services Committee. The Information Technology Pol- 
icy Committee has authority to resolve conflicts and arbitrate disputes. 


Scope 
This policy applies to: 


m AİI information supporting the academic, business, clinical, and oper- 
ational needs of Hospital. 

m Information in all forms, including information-processing activities, 
computerized information, vvhether kept in mainframes, databases, 
servers, or personal and manually maintained files. 

m Aİİ application, netvvork, and operating system software used for com- 
puterized management of this information. 

m Computerized information-processing activities related to Hospital Uni- 
versity”s research and instruction only where the Hospital University 
Information Access Review Board determines that such activities should 
specifically be covered by this policy. 


Definitions 


Access — Access is permission, privilege, or ability to read, enter, update, 
manage, or administer access to Hospital information assets. Authorized 
by the custodian of the information, access is dependent upon the 
sensitivity of the information. “Sensitivity” is determined by legal respon- 
sibility of Hospital and the specific job responsibilities of the individ- 
ual(s) for whom access is requested. 

Agent — An agent is anyone empovvered to act for Hospital. 


50 Information Security Policies, Procedures, and Standards 


3.13.3 Example 3 — Information Protection Policy for the UNION 
Family of Companies 


Information is an essential asset of the UNION Family of Companies. All 
information created in support of the business process, whether it is computer- 
generated, manually produced, or spoken is the property of UNION. To ensure 
that business objectives and customer confidence are maintained, all employ- 
ees have a responsibility to protect information from unauthorized access, 
modification, disclosure, and/or destruction, whether accidental or intentional, 

Senior management and the Officers of the Company are required to 
employ internal controls designed to safeguard company assets, including 
business information. It is a management obligation to ensure that all employ- 
ees understand and comply with the Company's security policies and standards 
as well as all applicable laws and resulations. Employee responsibilities for 
protecting Company information are detailed in the Information Protection 
Policies and Standards.. 

Company management has the responsibility to manage corporate infor- 
mation, personnel, and physical property relevant to business operations, as 
well as the right to monitor the actual utilization of all corporate assets. 
Employees vvho fail to comply vvith the policies vvill be considered to be in 
violation of the Company”s Ethical Standards of Conduct and will be subject 
to appropriate corrective action. 


3.14 Summary 


In this section vve determined that the policy is the cornerstone of the 
information security architecture of an organization. It is important to establish 
both internally and externally vvhat the position of an organization on a 
particular topic might be. 

We then looked at what a policy is and what it is not. We reviewed the 
definitions for policy, standard, guideline, and procedure. 

We examined the key elements of a policy: 


Be casy to understand 
Be applicable 

Be doable 

Be enforceable 

Be phased in 

Be proactive 

Avoid absolutes 

Meet business obiectives 


We reviewed format and component considerations for the three basic types 
of policy: program policy, topic-specific policy, and application specific policy. 

In addition, we examined actual policy statements and critiqued them based 
on the checklist. Some helpful hints and pitfalls to avoid were provided. 


Policy Development 51 


It bears repeating that information is a unique enough asset to warrant 
a written statement regarding its protection. Policies, standards, guidelines, 
and procedures form the basis of good controls, and good controls make 
good business sense. Implementing proper controls, documenting them in 
writing, and communicating them to all affected individuals and entities can 
provide an organization with real cost benefit by avoiding public criticism 
and saving time in the event an investigation and subsequent disciplinary 
process is necessary. 

Most importantly, only a written policy can be convincing in courts of law, 
customer contracts, vendor relations, acquisitions, and public relations. 


Chapter 4 


Mission Statement 


A well-written and properly endorsed mission statement or charter will allow 
you to focus on the areas that require control. The mission statement will also 
educate employees about the overall direction of your assignment. By stating 
your mission, you will be laying the groundvvork for the success, acceptance, 
and incorporation of a corporate information protection program. 

Most organizations view mission statements or charters as enabling acts. 
That is, they establish the scope of responsibility for each department or 
individual. Most organizations have a procedures and methods division within 
the financial staff. The job of the procedures and methods division is to 
generate the accounting practices and procedures that will ensure that the 
organization complies with the senerally accepted accounting practices 
(GAAP) standard. Fortunately, the field of information and computer security 
finally has an equivalent. The Information Technology-Code of Practice Secu- 
rity Management (ISO 17799) has devloped Section 4 Organization Security 
to provide the key elements for a mission statement. 


4.1 Background on Your Position 


Before you can begin vvorking on your mission statement, you vvill have to 
understand tvvo important issues. The first issue concerns vvhy you are here. 
This is not an open-ended question about your existence, but rather vvhy your 
function needs to be part of the structure of your organization. Most people 
would rather be doing something else, something exciting and visible, anything 
but be the information systems security officer. The second issue is why 
management assigned the task in the first place. Management does not 
undertake establishing positions unless it is getting pressure from another 
source, such as senior management or open audit comments. 


54 Information Security Policies, Procedures, and Standards 


Before you begin to write your mission statement, you must first fully 
understand why you were selected to do the job and why management decided 
that this is the time in the life of the organization to create a mission statement. 
The answers you receive will allow you to create a mission statement with 
an appropriate focus. 

To create an efficient and effective computer security program, it is best 
to begin the process at the corporate headquarters or main office and then 
solicit input from the divisions, groups, units, and subsidiaries and from certain 
identified individuals. By involving as many of the business units as possible, 
the level of resistance may be reduced. 

Because of varying organizational methods (and because you want to 
ensure your job will not be eliminated), you must understand fully the 
organizational structure and the events that led to assigning you to the project. 
Once you have this information, you can create an outline of specific goals 
that will be used to meet the policy objectives. When the outline is completed, 
you will want senior management to approve the development of your mission 
statement. Only when the mission statement is completed and endorsed will 
the road to a computer security program paved. 


4.2 Business Goals versus Security Goals 


People who work in computer departments often focus on their immediate 
concerns and, in the process, lose sight of the goals of the organization. 
Every organization has an overall business objective. To make your computer 
security program constructive, you must seek out the business obfectives of 
the organization and ensure that your security program meets and supports 
those goals. 

As an employee in the department charged with the role of defining security 
controls, you must acknovvledge that security is not the most important product 
of your organization. Any computer and information security obiectives you 
develop must be adapted to meet the practical business conditions of your 
organization. Security controls that inhibit the business function of the orga- 
nization will be quickly discarded. Poorly written procedures will not support 
the fiduciary responsibility of management to protect assets. 

Because of the inherent difference betvveen protecting information and 
promoting business, your job assignment may often appear to be in direct 
conflict vvith the obfectives of the rest of the organization. 

After all, the most secure computer system is one that is dovvn. Hovvever, 
although the data is safe from unauthorized access, having the system down 
does not meet any business goals or justify its installation in the first place. 
So your goal is to ensure that when the computers are operational, only those 
employees vvith a legitimate need for access vvill be granted access, and they 
will be allowed access on a need-to-knovv basis. With proper controls in place, 
the organization will have maximum security with a minimum of impact, and 
the security vvill be cost-effective. 


Mission Statement 55 


The business objectives of your organization are usually stated in readily 
available sources, such as: 


Annual reports to stockholders 
Organizational charts 

Strategic planning information 
Interviews with staff members 
Annual corporate budget proposals 


The annual report is especially valuable to you as a security officer. This 
document contains the management report, in which the chief operating officer 
and chief financial officer attest that there are adequate controls in place to 
protect the organization from loss of assets and prevent the organization from 
being at risk. By using this information, you will learn the business objectives 
of the organization and gain senior management support in the development 
of adequate controls. 


4.3 Computer Security Objectives 


Before reviewing existing mission statements and then creating your own, you 
must explore the elements of a comprehensive information security program. 
Remember: computer security is just one part of the overall asset protection 
program of the organization. Although you will address the physical security 
of computers and you need to protect the considerable investment in computer 
hardware, you must realize that the computer only functions as the processor 
and storage device for information. The information, data, programs, applica- 
tions, transactions, and systems are extremely valuable, and they must be 
protected as well as the hardware. If the data has been backed up, then the 
system can eventually be brought back up. However, if the data has not been 
backed up, nothing can bring the system back. So be sure to include controls 
on the assets as well as the hardware. 

The following items are generally accepted standards for a comprehensive 
security program: 


m Ensure the accuracy and integrity of data. 

m Protect classified data. 

m Protect against unauthorized access, modification, disclosure, or destruc- 
tion of data. 

m Ensure the ability of the organization to survive the loss of computing 
capacity (disaster recovery planning). 

m Prevent employees from probing the security controls as they perform 
their assigned tasks. 

m Ensure management support for the development and implementation 
Of security policies and procedures. 


56 Information Security Policies, Procedures, and Standards 


m Protect management from charges of imprudence in the event of any 
compromise of the information or computer security controls of the 
organization. 

m Protect against errors and omissions (which still account for 75 to 80 
percent of losses). 


4.4 Mission Statement Format 


Most mission statements begin with a brief paragraph explaining the overall 
goals of the information or computer security program. This initial statement 
takes the concepts established in the policy statement (refer to Compbuter 
Security Journal, Volume VII, Number 2, “Policy Statement: The Cornerstone 
to All Procedures”) and expands them into the goals to be addressed by your 
department. Your mission statement or charter should also reflect the style of 
your organization. As discussed, you need the background on management's 
impetus for establishing policies and procedures and on the overall business 
obiectives to begin writing a mission statement. 

After the section on goals, the mission statement should then list your 
responsibilities. The responsibilities are usually presented in active voice and 
provide the key elements of your job description. The effectiveness of the 
security program you develop and your effectiveness as an individual 
employee vvill be fudged on the basis of the responsibilities you describe. 


4.5 Allocation of Information Security Responsibilities 
(ISO 17799-4.1.3) 


Responsibilities for the protection of individual assets for carrying out specific 
security processes should be clearly defined. 

The information security policy (see Chapter 5) should provide general 
guidance on the allocation of security roles and responsibilities in the orga- 
nization. This will need to be supplemented, where necessary, with more- 
detailed guidance for specific sites, systems, or services. Local responsibilities 
for individual physical and information assets and security processes, such as 
business continuity planning, should be clearly defined. 

In many enterprises an information security manager vvill be appointed 
to take overall responsibility for the development and implementation of 
security and support identification of controls. (Examples of job descrip- 
tions for Corporate/ Chief Information Officer or CIO, Information Security 
Manager, Security Administrator and Firevvall Administrator are found in 
Appendix E). 

Hovvever, responsibility for resourcing and implementing the controls vvill 
normally remain vvith individual managers. One common practice is to 
appoint an owner for each information asset who then becomes responsible 
for its day-to-day security (see Information Protection Policy in the Appendix 
to the ISO 17799). 


Mission Statement 57 


Owners of information assets may delegate their security responsibilities 
to individuals within their business unit or department. Nevertheless, the owner 
remains ultimately responsible for the security of the asset and should be able 
to determine that any delegated responsibility has been discharged correctly. 


4.6 Mission Statement Examples 


4.6.1 Example 1 — Mission Statement for a Global 
Manufacturing Corporation 


As operations and related information processing become more decentralized 
through the use of PCs, controls and procedures become more important. 
And as remote access, networks, and distributed information processing make 
possible still greater globalization and decentralization of computer-generated 
data, the potential for unauthorized access to company secret, confidential, 
and restricted information increases. To provide the corporation with the 
highest level of visibility and support for the philosophy of information security 
and to provide the groups, units, divisions, sections, staffs, and departments 
with a focal point for solving security problems, a Corporate Information 
Security Group has been established and will report to the Director of Security. 


Example 1 — Mission Statement for a Global Manufacturing Corporation 


Corporate Information Security Group responsibilities include: 


Keep information and computer security policies and procedures current. 
Answer all inquiries on compliance and interpretation of corporate policies. 
Review all computer and information audit comments and the associated responses, 
thereby providing independent review of audit comments and unit responses. 
Revievv the employee Security Avvareness Program to ensure that it remains an 
effective tool for information security controls. 

Assist departments in developing recovery plans and oversee the testing of these 

plans. 

Revievv nevv computer and information security products and make 

recommendations on these products to ensure they meet minimum corporate 

requirements. 

Mi Assist in the investigation and reporting of computer equipment thefts, 
intrusions, viruses, and breaches of information security. 

IM Assist local Information Security Officers in developing effective training 
programs for the Plant Security Officers in the areas of computer crime and 
investigation. 

IM Assist in the development of effective monitoring programs to ensure that 
corporate information is protected as required. 

M Ensure that the systems moved into production mode are safe from errors and 

omissions. 


(continued) 


58 Information Security Policies, Procedures, and Standards 


Example 1 (continued) 


Report of Management 

Company management is responsible for the fair presentation and consistency of 
all financial data included in this Annual Report in accordance with generally 
accepted accounting principles. Where necessary, the data reflects management s 
best estimates and judgments. 


Management is also responsible for maintaining a system of internal accounting 
controls with the objectives of providing reasonable assurance that Company assets 
are safeguarded against material loss from unauthorized use or disposition and that 
authorized transactions are properly recorded to permitthe preparation of accurate 
financial data. Cost-benefit judgments are an important consideration in this regard. 
The effectiveness of internal controls is maintained by (1) personnel selection and 
training; (2) division of responsibilities; (3) establishment and communication of 
policies; and (4) ongoing internal review programs and audits. Management 
believes that Company system of internal controls as of December 31, 1989, is 
effective and adequate to accomplish the above described objectives. 


(signed) Chairman and Chief Executive Officer 


(signed) Senior Vice President and Chief Financial Officer 


(date) 


The statement in Example 1 has a broad scope to accommodate all the 
sites, both foreign and domestic, of a large organization. Although this is an 
effective charter for a multinational corporation, it may not suit the needs of 
your company. The next examples narrovv the scope of responsibility and 
may be more in line vvith your needs. 


4.6.2 Example 2 — Mission Statement for a North American 
Manufacturing Company 


An Information Security Administration Function (SAF) shall be developed 
to establish standards, procedures, and guidelines as deemed necessary to 
ensure the security of information throughout the company. The “ovvners” 
Of information (as defined later) will be required to take prudent security 
measures, vvith the assistance of the ISAF, to protect information from 
unauthorized modification, destruction, or disclosure, vvhether accidental 
or intentional. 

This mission statement says that the role of the ISAF is to develop vvritten 
documents to ensure the security of company information. Beyond that, the 
specific duties of the ISAF are vague. This mission statement lacks the 
concrete identification of activities that can be completed by the ISAF. The 
tone of the language used for the Responsibilities (Example 2) could also 


Mission Statement 59 


Example 2 — Responsibilities: Data Security Goals 


M Develop a uniform protection policy. 

Mİ Have a data classification system to aid business managers in evaluating their 

data assets. 

IM Identify owners for all data sets. 

M Have operators of the off-site data storage facility function as data custodians. 

M install and administer an access control package with a minimal use of 
passvvords. 

M Educate all users on the importance and use of security measures. 


be more action-oriented. For example, “Have a data classification system...” 
could be improved by stating, “Implement a data classification system....” 
A brief note about the term security: security is one of those words that 
everyone interprets differently. In this book, security is synonymous with pro- 
tecting company assets, both physical and intellectual. Protection is an active 
process that motivates employees to safeguard the assets of the organization. 


4.6.3 Example 3 — Mission Statement for a Corporate Data 
Processing Department 


The Information Systems Security Officer (ISSO) has been established to ensure 
that corporate data is protected from unauthorized modification, disclosure, 
and destruction and to ensure that the corporation has security measures to 
carry out its responsibilities as defined by law and the courts. 

VVhile the goals listed in Example 2 are certainly admirable, there are no 
corresponding statements that define how the ISSO will implement these goals. 
More concrete recommendations are necessary for developing the security 
program of this company. 


4.6.4 Example 4 — Mission Statement for the Corporate 
Information Security Administration 


Example 4 shows an aggressive mission statement, but it may also be unre- 
alistic. The CISA will assume the responsibility for security measures through- 
out the corporation. Unless there is adequate staff, the objectives are far too 
broad for a typical computer security department to undertake. If you develop 
a detailed mission statement like this one, make certain that you are not the 
only person assigned to work on computer security. 


4.6.5 Example 5 — Mission Statement for a Medium-Sized 
Manufacturing Company 


While the mission statement shown in Example 5 is longer than is typical, it 
is thorough. Management responsibilities are defined from the start, and these 


60 Information Security Policies, Procedures, and Standards 


Example 4 — Mission Statement for the Corporate Information Security 
Administration 


Contribute to the Corporate Information Security Program by performing the 

following tasks: 

M Implement and coordinate the Corporate Information Security Policy and 
Program. 

M Design and implement a Corporate Security Awareness Program. 

M Design a strategy for detecting actual security risks. 

M Prepare companywide policies. 


Assist management in performing its security responsibilities by performing the 
following tasks: 

Assess proposed access controls. 

Prepare and publish guidelines and standards. 

Assist areas in the development and enforcement of internal security 
procedures. 

Ensure that criteria for sensitive and critical information are current and 
appropriate to the needs of the corporation. 

Train the area coordinators in maintaining the enforcing guidelines and 
standards. 

Participate in the application development cycle. 

Advise on contingency planning and disaster recovery plans. 


Prepare and monitor management processes to prevent and handle perceived 
information access violations by performing the following tasks: 

Perform reviews of all information security access control systems. 

Ensure that appropriate information security requirements are being enforced. 
Approve all events in which established information safeguards are overridden 
and ensure that each override is documented. 

Ensure that security violations are reported to the appropriate manager. 
Contribute to the annual audit report on information security and access. 


Recommend allocation of resources and technology enhancements to meet 
information security objectives by performing the following tasks: 

Select and administer all information security access control systems. 

Review existing and proposed hardware and software for security considerations 
and make recommendations, as appropriate. 

Delegate limited administrative authority to other individuals or groups, if 
appropriate. 

Execute a risk assessment of sensitive data and the cost of protecting it. 


Example 5 — Mission Statement for a Medium-Sized Manufacturing Company 


Introduction 
This document defines the scope and direction for the information security 
function. The duties and responsibilities set forth will serve as the charter for the 


group. 


Mission Statement 61 


Example 5 — Mission Statement for a Medium-Sized Manufacturing Company 
(continued) 


Responsibilities of Management 

To fulfill present and future business commitments, steps must be taken to ensure 
the accuracy, privacy, and security of our computers, commmunication networks, 
electronically processed data, and manual data. The responsibility for safeguarding 
corporate information rests with all employees, but it is the coordinated effort of 
management and information security that will: 

Minimize the probability of security breaches. 

Minimize the damage if such a breach occurs. 

Ensure the companys ability to recover from damage with minimal disruption of 
service. 


It is a basic management responsibility to protect resources necessary to conduct 
business. Management is responsible for identifying and protecting hardware, 
software, and data resources under its control. This task is accomplished by 
implementing security policies and practicing security procedures commensurate 
with the value of the asset to the company. 


Responsibilities of Information Security Management 
Mission 
To provide a secure environment for the information assets of the company. 


Strategies 

M Monitor and audit adherence to security policies and procedures on a daily basis. 
Maintain an ongoing and corporatewide security awareness program relating to 
information asset protection. 

Act as a catalyst to make security a part of each employee:s daily activities. 
Ensure that the company has adequate protection for its business information 
assets and the most cost-effective tools to eliminate security breaches. 
Maintain an ongoing security audit process to revievv security exposures of 
breaches in a timely manner. 


Key Responsibilities 

Establish and enforce the following general data security rules in conjunction 
vvith management: 

İnformation shall be created and maintained in a secure environment. 
Practices shall be in place to prevent unauthorized modification, destruction, 
or disclosure of information, vvhether accidental or intentional. 

Safeguards shall be implemented to ensure the integrity and accuracy of vital 
company information. 

The cost of information security shall be commensurate vvith the value of the 
information to the company, the company/s customers, and potential intruders. 
Formulate an overall security plan for the corporation. 

Revievv company information security practices regularly, considering 
technological, environmental, and statutory requirements and trends. Keep 
abreast of nevv security developments that could affect the company. 


(continued) 


62 Information Security Policies, Procedures, and Standards 


Example 5 — Mission Statement for a Medium-Sized Manufacturing Company 
(continued) 


II Perform reviews and act as a consultant in matters affecting information security. 
M Provide support to all employees as they fulfill security-related responsibilities. 
M Perform security administrator duties in areas where direct responsibility for 
information security has been assigned. 
M Conduct periodic risk analysis inspections of data processing facilities and 
softvvare systems to identify security exposures and report the findings to the 
respective management. 
Develop, maintain, and implement policies, procedures, and guidelines to 
assure information security. 
Assist plant security to develop, maintain, and implement policies, procedures, 
and guidelines to assure the physical protection of information assets. 
Provide information security awareness training to all company personnel. 
Coordinate the installation and maintenance of security softvvare on systems for 
vvhich direct responsibility has been assigned. Monitor the installation and 
maintenance of security softvvare on all company hardvvare that is under the 
control of remote-site security administrators. 


set the tone for vvhat is expected from each segment of the company — 
management, employees, and security. Nevertheless, the section on strategies 
does not need to be shared by the company as a vvhole and probably should 
be an internal departmental function. 


4.6.6 Example 6 — Mission Statement for an Information Security 
Department 


The mission statement in Example 6 is strong, vvith the exception of item 5. 
Taking on the role of facilitator for the company business resumption plan 
should not be an add-on responsibility for the ISO. Business resumption 
planning (BRP) is a full-time job. In fact, BRP is an entire industry separate 
from computer and information security activities. Your role in a company 
BRP should only be the part that relates directly to data processing. A more 
appropriate responsibility statement would be: “Assist the departments and 
other business units in developing local business resumption plans and act 
as observer while these plans are being tested.” 

Your mission statement should spell out the goals that you believe can be 
accomplished. You have the opportunity to determine the direction your job 
will take, so be sure the responsibilities are attainable. Do not write a mission 
statement that assumes that you will have a staff of security personnel at your 
disposal. In the real world, the information security function is often a one- 
or two-employee operation, and security is just one of the assigned respon- 
sibilities. Be realistic about what you can accomplish and be certain to include 
educational responsibilities. For example, an appropriate item might state: 
“Attend workshops, seminars, and conferences annually to remain current on 
new developments in security technology.” 


Mission Statement 63 


Example 6 — Mission Statement for the Information Security Department 


Charter 

The mission of the Information Security Department (ISD) is to direct and support 
the company and affiliated organizations in the protection of their information 
assets from intentional or unintentional disclosure, modification, destruction, or 
denial through the implementation of appropriate information security and 
business resumption planning policies, procedures, and guidelines. 


Responsibilities 

The IDS shall be responsible for the development and administration of information 

security control plans, including the follovving tasks: 

1. Develop information security policies, procedures, and guidelines in 
compliance vvith established company policies and generally accepted data 
processing controls. 

2. Implement a data classification system and a management assessment program 
to be completed annulally. 

3. Develop and maintain a companyvvide information security avvareness and 
education program. 

4. Develop and maintain an overall access control program for mainframes, 
minicomputers, and microcomputers. 

5. Select, implement, test, and maintain an appropriate business resumption plan 
for each company location responsible for processing critical systems and 
applications. 

6. Ensure that information security requirements are incorporated in nevv 
applications by participating in the systems design and development process. 

7. Investigate and evaluate emerging information security technologies and 
services and coordinate implementation of appropriate hardvvare, softvvare, and 
services vvithin company operating groups. 

8. Coordinate the distribution of company security information and provide 
technical assistance to operating organizations as required. 

9. Implement other information security responsibilities as deemed appropriate. 


4.7 Support for the Mission Statement 


Before publication, the mission statement must receive management approval. 
Although the format of the mission statement does not really affect how it 
will be received, it is extremely important to have the statement approved at 
the highest possible level of management. 

The follovving examples shovv typical approval levels of mission statements 
for established organizations. 


m General Motors Corporation — Chairman 

mu Kart Corporation — Chairman of the Executive and Finance Committee 

m CGabital Holding Corporation — Chairman of the Board and Chief 
Financial Officer 

m ATET Neuv Jersey — Chairman of the Board 

m Miller Freeman Publications — Member, Board of Directors 


64 Information Security Policies, Procedures, and Standards 


It is important to note that in the preceding examples no data processing 
personnel approved the mission statement when published. Although an 
effective security program can be established and flourish with only data 
processing approval, the overall acceptance and support will be greatly 
reduced and your task will take much longer to succeed. 


4.8 Key Roles in Organizations 


This section describes some of the different roles within an organization and 
the responsibilities associated with each job. This section will provide the 
groundvvork for identifying the management levels within your organization. 
The specific roles vvithin your organization may vary, but you can find 
corresponding positions in your organization for each of the following key 
management functions. 


m Chief Executive Officer (CEO) — A member of an organization who 
has authority over all other members in determining the conduct and 
direction the organization vvill take. The CEO is elected as a director 
by the shareholders and appointed CEO by the board. The CEO is 
responsible to the shareholders of the company for the successful 
conduct of the company. 

m Chief Financial Officer (CFO) — Along with the CEO, the CFO is 
responsible for maintaining a system of internal controls designed to 
provide reasonable assurance that the books and records reflect the 
transactions of the organization and that its established policies and 
procedures are carefully follovved. Perhaps the most important feature 
in the system of control is that it is continually revievved for effectiveness 
and is augmented by vvritten policies and guidelines, the careful selec- 
tion and training of qualifted personnel, and a strong program of internal 
control, The CEO and CFO must sign a statement regarding manage- 
ments responsibility for the company financial statements. This state- 
ment, sometimes called Kepbort of Managment or Kebort of 
Management Resbonsibility for Financial Statements, attests that the 
organization has adequate controls to protect vital assets. The audit 
staff reports provide the information for this critical function. 

m Senior Management — The senior manager of a business unit, such as 
the director of accounts payable, is responsible for specifying and 
implementing the operational controls for his or her work area. In 
addition, this individual is considered the owner of the information 
assets for the department he or she oversees. Senior management is 
responsible for ensuring that controls are in place to safeguard the 
department data, including who may read and update files. Senior 
management may delegate the responsibility for the day-to-day 
approval process for access to the data, programs, and transactions to 
another employee vvithin the department. Hovvever, because the senior 
manager and the delegate are responsible for the routine reconciliation 


Mission Statement 65 


of the department activities, their positions should not include the ability 
to originate data or transactions. 

m Director of Management Information Systems (DMIS) — The DMIS is 
the highest level of management vvithin the organization charged vvith 
responsibility for the operation of the computer systems (not including 
microcomputers). This individual is responsible for ensuring that sys- 
tems programmers, application programmers, system operators, and 
scheduling, tape library, and other related personnel are conducting 
their daily activities in accordance vvith established policies and proce- 
dures. The DMIS is also responsible for the actions of the system security 
administrator and any privileged users. 

m Jnformation Security Officer (ISO) — The ISO is responsible for devel- 
oping the computer and information security policy to be adopted by 
senior management. The ISO is also responsible for advising on pro- 
tective measures (including standards and procedures), measuring per- 
formance, and reporting to management. The ISO may surpervise the 
system security administrator(s). 

m System Security Administrator (SSA) — The SSA is responsible for 
creating and maintaining access control records. The SSA acts as sur- 
rogate for the system manager and the application and data ovvners. 
The SSA enrolls new users and grants access. The SSA works under 
the supervision of the director of information services or the ISO and 
is subject to review by internal auditors. 


If you are not clear vvhere you fit into your corporate organization, you 
should obtain current organization charts and find out vvho your ultimate boss 
is. In most instances, data processing falls under the responsibility of the 
financial staff. However, recently in companies such as IBM, Electronic Data 
Systems, BP America, Shell, and Aetna, the information security officer reports 
to the head of security. Knovving vvhere you report in an organization vvill 
help you develop a mission statement that vvill support the business goals of 
your organization. 


4.9 Business Objectives 


Most computer security policies and procedures are based on the recognition 
that the organization is inextricably linked to computer systems. Without 
automated information processing, the corporate world would be unable to 
design new products, manufacture existing products, sell the products, or even 
collect money for the product or services rendered. Without the ability to 
access information in a timely and efficient manner, businesses would cease 
to function within days or even hours. As a result, management must under- 
stand that corporate information is vulnerable to errors, omissions, and unau- 
thorized access, as well as modification, disclosure, and destruction. 

As a member of the corporate team, computer security must present its 
goals and objectives in the format and language of the organization. In addition 


66 Information Security Policies, Procedures, and Standards 


to the policy statement and mission statement, a five-year plan should be 
developed. Most organizations establish such plans to determine the overall 
direction. Like other departments of the corporation, computer security should 
establish its own short-term and long-term objectives. Once developed, the 
information security five-year plan should be reviewed annually and modified 
as necessary. During the annual review, you can list goals that have been 
completed, determine the status of ongoing projects, and prepare new 
updated, long-term objectives. 

The business plan should support the goals established in the mission 
statement. Start with short-term goals that you are fairly sure you will be able 
to complete. Remember, nothing succeeds like success. When management 
sees that you are accomplishing your stated obfectives, support for the security 
program vvill be easier to obtain. 


4.10 Review 


The mission statement should ensure that the security of the information and 
communication processing resources of the corporation are sufficient to reduce 
risk to a level acceptable to the management of the corporation. The follovving 
list identifies elements to consider when developing a mission statement. 


m To recommend policies, standards, and procedures that foster the 
protection of information and information-processing resources. 

m To assist units and divisions in the selection and implementation of the 
protective measures required in their areas responsibility. 

m To evaluate new technology and recommend security strategies to 
protect it. 

m To identify areas of potential risk in the protection of corporate com- 
puter and information assets and to alert management once those areas 
have been identifted. 

m To provide training for security control requirements during all phases 
of application and system development. 

m To develop programs to increase security awareness at all levels of the 
corporation. 

m To develop a liaison between the corporate security and audit staffs to 
ensure that security efforts are coordinated and resources are conserved 
by preventing duplication of effort. 

m To coordinate and assist in the development of business resumption 
plans for all data centers supporting critical business functions. 

m To work with the local ISSO to ensure that corporate-mandated pro- 
grams are cost-effective and operationally effective. 

m To act as a consultant to all areas on the security of information and 
computer systems. 

m To monitor changes in laws and regulations as well as changes in 
technology and corporate goals to determine the impact of these 
changes on corporate security requirements. 


Mission Statement 67 


Review Example 7 for ideas on what to include in your mission statement. 


Example 7 — Mission Statement for an Information Protection Group 


Mission Statement 


To provide the Corporation with the highest level of visibility and support for 
the philosophy of protection and to provide this organizations with a focal point 
for solving information protection problems. 


Information Protection Group Responsibilities 


1. 
2. 


Keep information protection policies and practices current. 

Prepare, publish, and maintain ISO guidelines and standards for information 
protection. 

Answerall inquiries on compliance and interpretation of corporate policies and 
ISO practices. 

Develop, implement, and maintain the Corporate Information Protection 
Awareness Program. 

Assist the Corporate Organization Information Protection Coordinators (OIPCs) 
to develop, implement, and maintain their local information protection 
programs. 

Develop, implement, and maintain standard risk assessment tools for use in 
determining critical corporate resources. 

Ensure the criteria for determining sensitive information and critical applications 
and systems are current and appropriate to the needs of the corporation. 
Coordinate the development, testing, and maintenance of a data center Business 
Continuity Plan (BCP). 

Assist OIPCs in the development of their organization BCPs. 


. Review new system access and information protection products and make 


recommendations on these products to ensure they meet minimum corporate 
requirements. 


. Provide account administration across all platforms. 

. Provide consulting support for all application development projects. 

. Act as audit liaison for all information and computer security-related matters. 
. Assist in the investigation and reporting of computer thefts, intrusions, viruses, 


and breaches of information protection controls. 


. Assist in the development of effective monitoring programs to ensure that 


corporate information is protected as required. 


Chapter 5 
Standards 


The are many existing sources for supporting standards. The banking industry 
has many that have been established by regulations and requirements from 
the federal government. The health-care industry also has standards that are 
required. VVe vvill explore vvhere to find industry-specific standards and hovv 
to make them apply to your organization. 

Standards for each phase or section of an information security handbook 
need to be developed. Almost everyone in the enterprise recognizes the need 
for standards. Hovvever, developing them, adhering to them, and monitoring 
them is a İogistical problem. 

Two things are necessary to achieve success with standards: 


1. There must be a commitment to the standards by all personnel. 
2. The standards must be: 

a. Reasonable 

b. Flexible 

c. Current 


These two necessities are interdependent. 

Commitment must start with senior management and then move throughout 
the enterprise. If line management does not get the proper message from 
senior management, then the standards have no chance of surviving. On the 
other hand, if the employees see their management is committed to the 
standards, there is a better chance that the employees will be committed. It 
is very much a two-way street, and therefore standards must be: 


Practical 
Applicable 
Up-to-date 
Reviewed regularly 


69 


70 Information Security Policies, Procedures, and Standards 


5.1 Where Does a Standard Go? 


Policies, standards, and procedures fit into a hierarchy. 


m A pbolicy states a goal in general terms. 
m Standards define what is to be accomplished in specific terms. 
m Procedures tell how to meet the standards. 


Exhibit 1 also illustrates the hierarchy of policies, standards, and procedures. 
It shows the standards and procedures that result from a specific policy. 


Exhibit 1 Standards 


Examine the following: 
M Policy: It is the policy to process insurance claims as quickly as possible. 
BN standard: Each claim must be processed within six working days of receipt. 
M Procedure: 
Day 1 — Set up a file for correspondence, receipts, etc. 
Day 2 — Verify data. 
Day 3 — Adjudicate the claim. 
Day 4 — Enter data into the system. 
Day 5 — Print check. 
Day 6 — Mail check. 


5.2 What Is a Standard? 


Policies, because they are vvritten at a broad level, require a support structure 
to be meaningful and effective. Policies alone vvill not offer the user com- 
munity the guidance necessary to implement policy and meet the obiectives 
Of the enterprise. Standards provide this support and guidance. They are 
the mandatory activities, actions, rules, or regulations designed to provide 
policies vvith the reinforcement required to be effective. They are often 
expensive to administer and, therefore, should be used fudiciously (see 
Exhibit 2). 


Exhibit 2 Standard Format 


Complete the follovving outline for a typical enterprise task (getting an access 
account, establishing an e-mail account, logging onto the system): 
M Policy — 
M standard — 
M Procedure — 
Step 1 
Step 2 
Step 3 
Step 4 


Standards 71 


5.2.1 Examples of Standards 


Overall responsibility for ensuring the satisfactory implementation of informa- 
tion security is that of the chief executive of a division or the executive 
responsible for an equivalent unit. To permit that responsibility to be dis- 
charged, roles and responsibilities must be defined. 

Managers must: 


m Be aware of legislative and regulatory requirements, risks, protective 
measures, and practices that are relevant to their area of responsibility. 

m Ensure that they and their staff are familiar with these and their 
corresponding duties and obligations. 

m Appoint appropriate information and system owners. 

m Ensure that agreed-upon protective measures and practices are in place 
and operating effectively and efficiently. 

m Report incidents that violate protective measures or threaten to cause 
an unacceptable risk. 

m Investigate these occurrences. 


To have standards, it will be necessary to have a subject to tie them to. As 
you can see in the Exhibit 3, there is an opening paragraph of the mission 
statement that describes vvhat is to be discussed. Exhibits 4 through 6 are 
some of the standards that support the mission statement. VVe often see this 
kind of format in mission statements and job descriptions. In job descriptions 
the section that itemizes required skills can be viewed as standards. Preferred 
skills can be viewed as guidelines. Remember, a guideline is not mandatory. 
The example for user authorization (Exhibit 6) contains some points that are 
guidelines and others that are standards. For example, the first item regarding 
Logins and Passvvords contains the vvord “should,” vvhich implies some leevvay, 
a guideline. However, the last item uses the word “must” and is definitely a 
standard. It is important to be consistent. 


5.3 International Standards 


The two standards BS 7799 and ISO 17799 are very similar. The key difference 
between the two is that ISO 17799 has two non-action sections before its list 
of standards. 

Section 1 in ISO 17799 sets the scope: 


This standard gives recommendations for information security manage- 
ment for use by those who are responsible for initiating, implementing 
or maintaining security in their organization. It is intended to provide 
a common basis for developing organizational security standards and 
effective security management practice and to provide confidence in 
inter-organizational dealings. Recommendations from this standard 
should be selected and used in accordance with applicable laws and 
regulations. 


72 Information Security Policies, Procedures, and Standards 


Exhibit 3 Mission Statement 


Information Protection Group 
Mission Statement 


To provide the Corporation with the highest level of visibility and support for the 
philosophy of protection and to provide Company organizations with a focal point 
for solving information protection problems. 


Information Protection Group Responsibilities 

1. Keep information protection policies and practices current. 

2. Prepare, publish, and maintain guidelines and standards for information 
protection. 

3. Answerall inquiries on compliance and interpretation of corporate policies and 
practices. 

4. Develop, implement, and maintain the Corporate Information Protection 
Awareness Program. 

5. Assistthe Organization Information Protection Coordinators (OIPC) to develop, 
implement, and maintain its local information protection programs. 

6. Develop, implement, and maintain standard risk assessment tool for use in 
determining critical corporate resources. 

7. Ensurethe criteria for determining sensitive information and critical applications 
and systems are current and appropriate to the needs of the corporation. 

8. Coordinate the development, testing, and maintenance of a Business Continuity 
Plan (BCP). 

9. Assist OIPCs in the development of the organization BCPs. 

10. Review new system access and information protection products and make 
recommendations on these products to ensure they meet minimum corporate 
requirements. 

11. Provide consulting support for all application development projects. 

12. Act as audit liaison for all information and computer security-related matters. 

13. Assist in the investigation and reporting of computer thefts, intrusions, viruses, 
and breeches of information protection controls. 

14. Assist in the development of effective monitoring programs to ensure that 
corporate information is protected as required. 


As we can see in Section 1, although this document is titled a “standard,” 
it is really a strong guideline. So use 17799 as a road map, understanding that 
there are alternative routes that you can take to get to the same destination. 

Section 2 sets terms and definitions: 


m Jnformation Security — Preservation of confidentiality, integrity, and 
availability of information. 

m Confidentiality — Ensuring that information is accessible only to those 
authorized to have access. 

m /Jntegrity — Safeguarding the accuracy and completeness of information 
and processing methods. 

m Availability — Ensuring that authorized users have access to information 
and associated assets as required. 


Standards 73 


Exhibit 4 Job Description 


Chief Information Officer (CIO) 


CIO Mission: To provide technology vision and leadership for developing and 
implementing Information Technology (IT) initiatives that create and maintain leadership 
for the enterprise in a constantly changing and intensely competitive marketplace. 


Reporting Relationship: To a senior functional executive (President, EVP, CFO) or 
CEO. This is a key management position for the organization responsible for IT 
policy and alignment of IT strategy with business objectives. 


Responsibilities: 

M Sponsor collaborative business technology planning processes. 

M Coordinate new and existing application developmentinitiatives between IT and 
business units. 

M Ensure İT infrastructure and architecture continue to meet enterprise business 
needs. 

M Certify “make versus buy” decisions relative to outsourcing to in-house 
provisioning of IT services, skills, and products. 

M Establish strategic relationships with key İT suppliers and consultants. 

M Provide enabling technologies to make it easier for customers and suppliers to 
conduct business vvith the enterprise as vvell as to increase revenue and profitability. 

M interact with internal and external clients to ensure continuous customer 
satisfaction. 

M Provide training for all IT personnel and users to ensure productive use of 

existing and nevv systems. 


Skills Required: 

Mi Strong business orientation, broad experience in the IT sector and related 
activities (i.e., consulting and vendor activities). 

M Demonstrated ability to bring the benefits of İT to solve business issues while 
effectively managing costs and risks. 

M skill at identifying and evaluating new technological developments and gauging 
their appropriateness for the enterprise. 

M Ability to communicate with and understand the needs of nontechnical internal 
clients. 

M Exceptional organizational skills to ensure proper management of central IS 
resources and applications and coordinate business unit initiatives and 
resources. 

M Ability to conceptualize, launch, and deliver multiple IT projects on time and 
vvithin budget. 

M Ability to blend with the existing management team by being an effective 
listener, team builder, and an articulate advocate of the IT vision. 


Personal Qualities: 

Superb leadership, communication, and interpersonal skills; and ability to function 
in a collaborative and collegial environment; sensitivity to others, high integrity and 
intelligence, excellent judgment; a conceptual thinker strategically as well as 
pragmatically, and an ability to generate trust and build alliances with co-vvorkers. 


74 Information Security Policies, Procedures, and Standards 


Exhibit 5 Information Classification 


Introduction: 

Information, wherever it is handled or stored (for example, in computers, file 
cabinets, desktops, fax machines, voice mail) needs to be protected from 
unauthorized access, modification, disclosure, and destruction. All information is 
not created equal. Consequently, segmentation or classification of information into 
categories is necessary to help identify a framework for evaluating the relative value 
of the information and the appropriate controls required to preserve its value to 
the company. 


Three basic classifications of information have been established. Organizations may 
define additional subclassifications as necessary to complete their framework for 
evaluating and preserving information under their control. 


When information does require protection, the protection must be consistent. 
Often, strict access controls are applied to data stored in the mainframe computers 
but not applied to office workstations. Whether in a mainframe, client server, 
workstation, file cabinet, desk drawer, wastebasket, or in the mail, information 
should be subject to appropriate and consistent protection. 


The definitions and responsibilities described below represent the minimum level 
of detail necessary for all organizations across the company. Each organization may 
decide that additional detail is necessary to adequately implement information 
classification within the organization. 


Corporate Policy: All information must be classified by the owner into one of three 
classifications: Confidential, Internal Use, or Public. 
(From: Company Policy on Information Management) 


Internal Use Classify information as internal use when the information is 
Definition: intended for use by employees when conducting company 
business. 


Examples: Some examples of internal use information are: 
Operational business information/reports, 
Non-company information which is subject to a 
nondisclosure agreement vvith another company, 
Company phone book, 

Corporate policies, standards, and procedures, and 
Internal company announcements. 


Public Classify information as public if the information has been made 

Definition: available for public distribution through authorized company 
channels. Public information is not sensitive in context or 
content, and requires no special protection. 


Standards 75 


Exhibit 5 Information Classification (continued) 


Examples: The follovving are examples of public information: 
M Corporate Annual Report 
M information specifically generated for public consumption, 
such as public service bulletins, marketing brochures, and 
advertisements 


Declassification: 

Classified information normally declines in sensitivity with the passage of time. 
Dovvngrading should be as automatic as possible. If the information ovvner knovvs 
the date that the information should be reclassified, then it might be labeled as 
Confidential until (date). There should be an established revievv process for all 
information classified as confidential, and reclassified when it no longer meets the 
criteria established for such information. 


Part of an effective information classification program is to destroy documents 
when they are no longer required. Placing restrictions on copying classified 
documents will ensure that the documents and data sets are controlled and 
logged regarding the number of copies created and to whom those copies were 
assigned. To assist in this process, it may be convenient to create an information 
handling matrix. 


Exhibit 6 User Authorization Example 


IN Log-ins and passwords: No log-in/user should be created without a password. 
M All database applications must have database-level security implemented with 
every user having his or her own database account. Application security is then 
optional. Sharing accounts is prohibited. 
Mi If users” application logins are the same as their Sybase database logins, then 
users can access databases directly through isql or some other interface. 
Application designers should be avvare of this danger vvhen designing protection 
schemes: restrictions at the database level are much more secure than 
restrictions that are only enforced at the application level. 
Database-level restrictions are not sufficiently secure to allovv users to access 
the database directly, if they allovv individuals access to data for vvhich the 
application ovvners did not grant access permission via the normal interface 
of the application. In those cases, database passvvords should be different 
from application passvvords (so that users do not knovv their database 
passvvords). 
M Passwords must be changed every 30 days. 


m Risk assessment — Assessment of threats to, impacts on, and vulnera- 
bilities of information and information processing facilities and the 
likelihood of their occurrence. (This process is also knovvn as risk 


76 Information Security Policies, Procedures, and Standards 


analysis and CRC Press offers a top-selling book on the subject: Imfor- 
mation Security Risk Analysis.) 

m Risk management — Process of identifying, controlling and minimizing, 
or eliminating security risks that may affect information systems, for an 
acceptable cost. 


See Exhibit 7 for a summary of controls. 

ISO 17799 and BS 7799 are copyrighted documents that will require you 
to contact the organizations and purchase a complete copy of the docu- 
ments. What is presented here is just an overview of what is in the complete 
set of standards. As an example, the unabridged version of ISO 17799, 
Section 8 — Computer and Netvvork Management, has approximately 170 
standard recommendations. When developing your supporting standards, 
remember Section 2 recommends performing a risk analysis to ensure that 
controls are needed. 


5.4 Summary 


In this chapter we discussed the standard. In the introduction we examined 
where it fits in the scheme of written documents and found that it is needed 
to provide a policy with direction. It was strongly recommended that standards 
not be made part of the policy. This was mainly due to the process required 
to get policies modified and approved. 

On the other hand, it is quite permissible to have policies found in a 
standards manual. When developing a standards manual, it will be necessary 
to have an overview (topic-specific or application/system policy) provide the 
introduction to the topic and then have supporting standards. This might look 
something like Exhibit 8. 

This is a fairly straightforvvard overview and standards. The underscored 
item indicates that it is optional and therefore we would call it a guideline. 
It would be necessary to create standards for other kinds of systems, such as 
Macs and laptops. 

We discussed where the standard fit in the process of documentation for 
employee use and why policies were not enough. We reviewed what a 
standard is and examined examples of standards and how they can work in 
your enterprise. Finally, we discussed the ISO 17799 International Standard 
for information security and how it is actually a guideline document. 

To assist you in understanding what might be necessary in developing a 
security manual, Appendix A has a Policy Baseline Checklist that identiftes 71 
key elements to be considered when developing your information security 
documentation. 

In Chapter 6 vve discuss a number of procedure types, the pros and cons 
of each style, and examples of each. 


Standards 


Exhibit 7 Controls Found in ISO 17799 Summarized from the International 
Organization for Standardization 


Section 3 
3.1 


Section 4 
4.1 


4.2 


Section 5 
5.1 


5.2 


Section 6 
6.1 


Security Policy 
Information Security Policy 
Objective: To provide management direction and support for 
information security. 
3.1.1 Information Security policy document 
A written policy document should be available to all 
employees responsible for information security. 


Security Organization 

Information security infrastructure 

Objective: To manage information security within the 
organization. 

4.1.1 Management information security forum 

4.1.2 Information security coordination 

4.1.3 Allocation of information security responsibilities 
4.14  Authorization process for İT facilities 

4.1.5 Specialist information security advice 

416 — Cooperation between organizations 

4.1.7 Independent review of information security 
Security of third-party access 

Objective: To maintain the security of organizational IT facilities 
and information assets by third parties. 

4.2.1 Identification of risks from third-party connections 
4.2.2 Security conditions in third-party contracts 


Assets Classification and Control 

Accountability for assets 

Objective: To maintain appropriate protection of organizational 
assets. 

5.1.1 Inventory of assets 

Information classification 

Objective: To ensure that information assets receive an 
appropriate level of protection. 

5.2.1 Classification standards 

5.2.2 Classification labeling 


Personnel Security 

Security in job definition and resourcing 

Obiectives: To reduce the risks of human error, theft, fraud, or 
misuse of facilities. 

6.1.1 Security in job descriptions 

6.1.2 Recruitment screening 

6.1.3 Confidentiality agreement 


(continued) 


77 


78 


Information Security Policies, Procedures, and Standards 


Exhibit 7 Controls Found in ISO 17799 Summarized from the International 
Organization for Standardization (continued) 


6.2 


6.3 


Section 7 
7.1 


7.2 


Section 8 
6.1 


8.2 


User training 

Objective: To ensure that users are aware of information security 
threats and concerns, and are equipped to support organizational 
security policy in the course of their normal work. 

6.2.1 Information security education and training 

Responding to incidents 

Objective: To minimize the damage from security incidents and 
malfunctions and to monitor and learn from such incidents. 
6.3.1 Reporting security incidents 

6.3.2 Reporting security vveaknesses 

6.3.3 Reporting of softvvare malfunctions 

6.3.4 Disciplinary process 


Physical and Environmental Security 

Secure areas 

Obiectives: To prevent unauthorized access, damage, and 
interference to IT services. 

7.1.1 Clear desk policy 

7.12 Removal of property 

Equipment inventory 

Objective: To prevent loss, damage, or compromise of assets and 
interruption to business activities. 

7.21 Equipment siting and protection 

7.22 Power supply 

7.2.3 Cabling security 

7.2.4 Equipment maintenance 

7.2.5 Security of equipment off-premises 

7.2.6 Secure disposal of equipment 


Computer and Netvvork Management 

Operational procedures and responsibilities 

Obiective: To ensure the correct and secure operation of 
computer and network facilities. 

8.1.1 Documented operating procedures 

8.1.2 Incident management procedure 

8.1.3 Segregation of duties 

8.14 Separation of development and operational facilities 
8.1.6 External facilities management 

System planning and acceptance 

Objective: To minimize the risk of system failure. 

8.2.1 Capacity planning 

8.2.2 System acceptance 

8.2.3 Fallback planning 

8.2.4 Operational change control 


Standards 


79 


Exhibit 7 Controls Found in ISO 17799 Summarized from the International 
Organization for Standardization (continued) 


6.3 


8.4 


8.5 


8.6 


8.7 


Section 9 
9.1 


9.2 


9.3 


Protection from malicious software 

Objective: To safeguard the integrity of software and data. 
8.3.1 Virus control 

Housekeeping 

Objective: To maintain the integrity and availability of IT services. 
8.4.1 Data back-up 

8.4.2 Operator logs 

8.4.3 Fault logging 

8.4.4 Environmental monitoring 

Network management 

Objective: To ensure the safeguarding of information in networks 
and the protection of the supporting infrastructure. 

8.5.1 Network security controls 

Media handling and security 

Objective: To prevent damage to assets and interruptions to 
business activities. 

8.6.1 Management of removable computer media 

8.6.2 Data handling procedures 

8.6.3 Security of system documentation 

8.6.4 Disposal of media 

Data and software exchange 

Objective: To prevent loss, modification, or misuse of data. 
8.7.1 Data and softvvare exchange agreements 

8.7.2 Security of media in transit 

8.7.3 EDI security 

8.7.4 Security of electronic mail 

8.7.5 Security of electronic office systems 


System Access Control 

Business requirements for system access 

Objectives: To control access to business information. 
9.1.1 Documented access control policy 

User access management 

Objective: To prevent unauthorized computer access. 
9.2.1 User registration 

9.2.2 Privilege management 

9.2.3 User password management 

9.2.4 Revievv of user access rights 

User responsibilities 

Objective: To prevent unauthorized user access. 

9.3.1 Password use 

9.3.2 Unattended user equipment 


(continued) 


80 


Information Security Policies, Procedures, and Standards 


Exhibit 7 Controls Found in ISO 17799 Summarized from the International 
Organization for Standardization (continued) 


9.4 


9.5 


9.6 


9.7 


Section 10 
10.1 


10.2 


Network access control 

Objective: Protection of networked services. 
9.4.1 Limited services 

942 _Enforced path 

9.4.3 User authentication 

9.4.4 Node authentication 

9.4.5 Remote diagnostics port protection 
9.4.6 Segregation in networks 

9.4.7 Network connection control 

9.4.8 Netvvork routing control 

9.4.9 Security of netvvork services 
Computer access control 

Objective: To prevent unauthorized computer access. 
9.5.1 Automatic terminal identification 
9.5.2 Terminal logon procedures 

9.5.3 User identifiers 

9.5.4 Passvvord management system 

9.5.5 Duress alarm to safeguard users 
9.5.6 Terminal time-out 

9.5.7 Limitation of connection time 
Application access control 

Objective: To prevent unauthorized access to information held in 
computer systems. 

9.6.1 İnformation access restriction 

9.6.2 Use of system utilities 

9.6.3 Access control to program source libraries 
9.6.4 Sensitive system isolation 
Monitoring system access and use 

Objective: To detect unauthorized activities. 
9.7.1 Event logging 

9.7.2 Monitoring system use 

9.7.3 Clock synchronization 


Systems Development and Maintenance 

Security requirements of systems 

Obiective: To ensure that security is built into IT systems. 
10.1.1 Security requirements analysis and specification 
Security in application systems 

Objective: To prevent loss, modification, or misuse of user data 
in application systems. 

10.2.1 Input data validation 

10.2.2 Internal processing validation 

10.2.3 Data encryption 

10.2.4 Message authentication 


Standards 


Exhibit 7 Controls Found in ISO 17799 Summarized from the International 
Organization for Standardization (continued) 


10.3 


10.4 


Section 11 
11.1 


Section 12 
12.1 


12.2 


12.3 


Security of application system files 

Objective: To ensure that IT projects and support activities are 
conducted in a secure manner. 

10.3.1 Control of operational softvvare 

10.3.2 Protection of system test data 

Security in development and support environments 

Obiective: To maintain the security of application system softvvare 
and data. 

10.4.1 Change control procedure 

10.4.2 Technical revievv of operating system changes 

10.4.3 Restrictions on changes to softvvare packages 


Business Continuity Planning 

Aspects of business continuity planning 

Objective: To have plans available to counteract interruptions to 
business activities. 

11.1.1 Business continuity planning process 

11.1.2 Business continuity planning framevvork 

11.1.3 Testing business continuity plans 

11.1.44 Updating business continuity plans 


Compliance 

Compliance vvith legal requirements 

Objective: To avoid breaches of any statuary, criminal, or civil 
obligations and of any security requirements. 

12.1.1 Control of proprietary software coping 

12.1.2 Safeguarding of organizational records 

12.1.3 Data protection 

121.4 Prevention of misuse of İT facilities 

Security review of IT systems 

Objective: To ensure compliance of systems with organizational 
security policies and procedures. 

12221 Compliance with security policy 

122.2 Technical compliance checking 

System audit considerations 

Objective: To minimize interference to and from the system audit 
process. 

123.1 System audit controls 

1233.2 Protection of system audit tools 


81 


82 


Information Security Policies, Procedures, and Standards 


Exhibit8 Overview — Recommended Minimum Computer VVorkstation Standards 


Please check with your College or Department technical staff before purchasing 
any computer or peripheral equipment to ensure compatibility and support. 


The following represents the recommended minimum system configurations for 
computer systems purchased by Enormous State University. These standards were 
developed by the Minimum Workstation Site License Subcommittee (MWSSLS). 


Standards 

M Intel FCPGA PIII 733 or Celeron 633 MHz Processor with compatible chipset, 
USB port with connector 

İM Two 16C550 UART serial ports, one enhanced parallel port, and USB 

M NT compliant, DMI compliant, Plug & Play 

M 512 Pipeline Burst cache 

l 128 MB SDRAM expandable to 512 MB (At least (2) additional slots available) 

IM 256 MB SDRAM recommend for Oracle, SPSS, SAS, or Multimedia 

İM 1.44 MB floppy disk drive (TEAC) 

IM DVD CD-ROM drive (Pioneer and Toshiba are recommended brands) 

IM 64-bit AGP video card with 16 MB vram, 1024 x 768 resolution at 70 Hz NI, 16-bit 
color with RAMDAC (possible brands: nVidia or ATI) 

M 3COM lumperless (software configurable) 10/100Base-T PCI Network card 
(Model: 3C905B) 

M 15 CB or greater hard disk drive (recommended brands: IBM and Seagate) with 
ATA66 plus controller 

M ATX lockable case vv/250 UL, CSA power supply desktop, or medium tovver 
lockable case with 230-VVatt power supply 

M SVCA 17-inch non-interlaced color monitor with a minimum of .26 dot pitch or 
lower, 1024 x 768 @ 72 Hz, Plug & Play, Energy Star, Speakers should be built-in 
(recommended brands are Sony, NEC, or liyama) 

İM External speakers (if not built into monitor) frecommended brand is Altec- 
Lansingl 

IM Tvvo-button PS/2 mouse 

M MS Windows 98 SE (CD version)/2000 CD (SP 1) or Windows NT operating system 
(v4.0) (CD vvith tutorial SP 4 or 6a) 

M 104-key enhanced keyboard 

M PCI-integrated sound card with 100 percent Sound Blaster compliance 

M 100 MB Internal ZIP Drive or lmation LS-120 floppy drive or tape backup unit 
loptionall 

M Adaptec PCI 19160 ultravvide SCSI host adapter and cable [optional — needed 
to attach external drivesl 

M CD-ROM burner (recommended brands: Plextor, Yamaha, and HP) [optional] 

M Vvarranty: Three-year in-house parts service on repairs (ESU technicians must 
be able to troubleshoot and exchange parts) 

M No toll charge for telephone support 

IM Next working day on-site support 


Approximate price of this configuration is $1620.00. 


Chapter 6 


Writing Procedures 


Procedures are as unique as the organization. There is no generally accepted 
standard for the proper way to write a procedure. What will determine how 
your procedures look will be how they currently look or what will work best 
to provide the target audiences with what they need. This means that it may 
be necessary to use a number of different styles. In this section, we examine 
what some of those procedure styles look like and how they are used. 


6.1 Definitions 
6.1.1 Policy 


A policy is a high-level statement of enterprise beliefs, goals, and objectives 
and the general means for their attainment for a specified subject area. 


6.1.2 Standards 


Standards are mandatory activities, actions, rules, or regulations designed to 
provide policies vvith the support structure and specific direction they require 
to be meaningful and effective. They are often expensive to administer and, 
therefore, should be used fudiciously. 


6.1.3 Guidelines 


Guidelines are more general statements that are designed to achieve the 
objective of the policy by providing a framework within which to imple- 
ment procedures. Whereas standards are mandatory, guidelines are rec- 
ommendations. 


84 Information Security Policies, Procedures, and Standards 


6.1.4 Procedures 


Procedures spell out the specific step of hovv the policy and the supporting 
standards and guidelines will actually be implemented. They are a description 
of tasks that must be completed in a specific order. 


6.2 VVriting Commandments 


The following ten commandments should be followed (see Exhibit 1). 

Write to tbe audience. Procedures are created and implemented with the 
sole purpose of being read and used by the user community. Alvvays keep 
the audience for these procedures in mind vvhen vvriting. Before any procedure 
can be vvritten, it vvill be necessary to knovv vvho the audience is and vvhat 
its level of knovvledge of the subiect at hand is. Every department has its ovvn 
language, therefore, the procedures must be addressed to each in the terms 
that each is used to. If you vvrite procedures using the vvrong “language,” the 
procedure may as vvell be vvritten in Sanskrit. The intended audience vvill not 
be able to understand it, or vvill find it difficult to follovv. 

Organize tbe material. The procedures must be written in a logical and 
flowing manner so that the reader can understand the meaning. If the text 
is not properly planned, the possibility is great that the intended audience 
will not clearly understand what is expected. The procedure must be 
broken up into easily digestible bits of information. Do not expect the 
user to read a long and involved passage and then successfully execute 
the appropriate processes. 

Kead and edit tbe materials. Do not fust run the spell checker and assume 
that the editing is complete. Before handing over the material to the editor, 
proofread vvhat has been vvritten and see if it makes sense to you. If you are 
unable to understand what you have written, then it will be impossible for 
others to understand. 

Find subject experts. The first step in any procedure development process 
is either to know the subject or to find people who do and use their knowledge 


VVrite to the audience Keep sentences short and simple 


Organize the material Use illustrations to support the topic 


Read and edit the materials Use an active voice 


Find subject experts Ensure grammar and punctuation are correct 


Use clear, familiar words Use a conversational style 


Exhibit 1 Writing's Important Keys 


Writing Procedures 85 


to write the procedure. Subject experts may not understand the procedure- 
writing process, so it may be necessary for you to sit with them and take 
notes on how the process works and then write the procedure. Make sure 
that one of the editors is the subject expert. However, the subject expert 
should not be the person to test the procedure. Experts know the topic so 
well that they might assume information that is not present in the procedure. 

Use clear, familiar uvords. 'The intended audience of the procedure will not 
be pleased if confronted with a document filled with words, expressions, and 
acronyms that are unfamiliar. It will be important to have a definition section 
in some procedures. This should be done up front and provide the reader 
with whatever is necessary to complete the process at hand. 

Do not use big words; remember the reading and comprehension level of 
the intended audience (see Exhibit 2). Multiple syllables may be imprecise 
and use of the various “ese” languages should be avoided (finnancialese, 
auditese, legalese, securityese, computerese, etc.). 


Exhibit 2 Sample of Proper VVords to Use 
in VVriting Policies and Procedures 


VVords to Avoid Familiar VVords 
accordingly so 
applicable apply to 
compensate pay 
foregoing this 
furthermore also 
in order to to 
in the near future soon 
subsequently after 


Make sure to define all acronyms. There is nothing more irritating than to 
be reading a text that contains a number of T7TAs (a TLA is a Three Letter 
Acronym for three-letter acronyms). The user vvill lose interest and compre- 
hension if there are undefined terms in the text. 

Keep sentences sbort and simple. Remember the KISS (Keep It Simple 
Svveetie) principle. Long sentences increase the level of frustration of the user 
and decrease the level of understanding. An appropriate average sentence 
length for procedures is between 10 and 15 words. Unless you are a writer 
of the caliber of a James Joyce, it would be vvise to keep the sentences to 
the 15-vvord maximum level, 

Use illustrations to subbort tbe tobic. “A picture is worth a thousand words” 
may be a clichö, but it is true. VVhenever applicable, break up the text with 
a graphic that depicts vvhat is being discussed. These graphics can be pictures, 
charts (flovv, pie, bar, etc.), tables, or diagrams. These vvill help the user 
visualize the subject and can provide the material necessary for a clear 
understanding of the process. 

Hlustrations include the use of screen prints. This vvill help users if they 
are interacting vvith a computer system. By providing a picture of the screen, 


86 Information Security Policies, Procedures, and Standards 


users will be able to visualize what the process looks like and what is expected 
as a response. 

Use an active voice. In the active voice, the sentences stress what has to 
occur. It will identify who is responsible for what action. For example, a 
bassiue voice might read as follows: “All tape drives are to be cleaned by the 
tape operators.” An active voice might read as follows: “The tape operators 
are responsible for cleaning the tape drives on each shift.” The active voice 
identifies who is responsible, and for what. 

Ensure grammar and bunctuation are correct. The number-one deadiy sin 
is not taking care of this key element. Too many times materials have been 
sent out for content review and the text is filled with errors of grammar and 
punctuation. It is hard enough to get a critique of the subject. By presenting 
revievvers vvith error-filled material, they vvill correct the form and forget to 
comment on the substance., If this is not your strong suit, find someone who 
can do these edits. 

Use a conversational style. This does not mean that the text should be 
full of slang and idioms, it should just be presented in an informal style. 
Most people communicate better when they are speaking than when they 
are writing. It could be that many individuals write to impress the reader 
as opposed to vvriting to express an idea. One very easy vvay around this 
problem is to vvrite as if you are talking to the intended audience. Hovvever, 
if you have a tendency to speak like William F. Buckley, /r., then you might 
want to have someone else review the material. Although a conversational 
style is preferred, this form does not relieve you of the responsibility of 
being precise. 


6.3 Key Elements in Procedure Writing 


There are four key purposes for vvriting a procedure. 


1. The first is fulfill some need. If a task or process has to be performed 
in a specific manner, then there is a definite need for a procedure. 

2. Once the need has been erstablished, it vvill be necessary to identify 
the target audience. 

3. Describe the task that the procedure will cover. It will be necessary to 
have opening remarks that present the scope of vvhat the procedure 
is attempting to accomplish. 

4. The intent of the procedure should also be made knovvn to the user. 


6.4 Procedure Checklist 


Not every procedure will require all of the elements found in this procedure 
development checklist. Some may even require additional steps. As with any 
checklist, this is only a series of thousht starters. The list that will be used by 
you may have additional items, or fewer. 


Writing Procedures 87 


10. 


TL 


12. 


6.5 


Title — Establish vvhat the topic of the procedure is going to be. Try 
to avoid being cute with your choice of words. Remember that you 
are writing for a business environment. 

Intent — Discuss what the procedure is attempting to accomplish in 
general terms. 

Scope — Briefly describe the process that the procedure is going to 
cover (e.g., Implementing a UNIX userid request). 

Kesbonsibilities — Identify who is to perform what steps in the proce- 
dure. Use fob functions rather than individual names. 

Sequence of evenis — It is very important for the user to understand 
the timing and conditions for performing the tasks identified in the 
procedure. Some tasks are not executed at a specific time, but must 
be performed vvhen a specific condition is met. 

Abbrovals — Identify any necessary approvals and when these approv- 
als must be met. Approvals vvill be obtained prior to the execution of 
the procedure process. 

Prerequisites — List any pre-conditions that must be met before starting 
the procedure process. 

Definitions — Remember the audience. It will be beneficial to include 
a discussion of any terms and acronyms that are included in the body 
of the procedure. 

Equibment reguired — Identify all equipment, tools, documents, and 
anything else the individual executing the procedure will need to 
perform the tasks. 

Warnirigs — Some tasks, if operated in an improper sequence, could 
cause severe damage to the enterprise. Identify those key tasks and 
review the importance of understanding exactly when the task is to be 
executed and under what set of circumstances. 

Precautions — Identify all steps to be taken to avoid problems or 
dangers (e.g., “Unplug before performing maintenance.”) 

Procedure body — This lists the actual steps to be performed in the 
execution of the procedure. 


Getting Started 


Now that you understand what the “do”s and don'ts” of procedure writing are 
all about, we must now get down to the actual task. A procedure is the step- 
by-step process that an employee vvill use to complete a specific task. To 
vvrite a procedure, then, it vvill be necessary to have a strong understanding 
of the task at hand. Very fevv of us have a sufficient level of knovvledge for 
every subiect. Therefore, it vvill be necessary for us to seek out subfect matter 
experts (SMESs) to help in the development of procedures. 


m The SMEs are usually those employees who handle a specific set of 


tasks daily, and it vvill be their knovvledge that must be turned into a 
procedure. Many organizations have requested that the SMES vvrite the 


88 


6.6 


Information Security Policies, Procedures, and Standards 


procedures themselves. This method has met with limited success. What 
is currently recommended is that the organization hire documentation 
experts to interview the SMEs and then write the procedures. 

Our employees are generally overworked now. Asking them to perform 
a task that most do not want to do wil cause lengthy delays in 
completing the process. By conducting an interview (not to last longer 
that 90 minutes) and having the documentation expert write the draft 
document, it may be possible actually to complete the procedure 
development process on time. 

Once the draft is completed, it should be given to the SME and the 
SME backup for review and critique. Allow this process to take five to 
ten workdays. Once the comments are incorporated, send the proce- 
dures out for a final review and include the supervisor of the SME. 
After the procedures are returned, make any final adjustments and then 
publish them. Ensure that the SME reviews the procedures at least 
annually for changes. 


Procedure Styles 


There are perhaps as many as six different styles of procedures. Any one of 
them may meet the needs of your organization. 


o ə Qua 


Headline 
Caption 
Matrix 
Narrative 
Flovvchart 
Playscript 


Of these six, Narrative and Headline should be used very seldom. Others 
(especially Caption and Playscript) should be used very often. The choice of 
layout vvill depend upon the subiect matter to be presented and the individuals 
using the material. Each has its advantages and disadvantages. We will examine 
six of the most popular forms of procedures and vvill identify the positive 
side to each as vvell as any shortcomings. 

The following general guidelines should be applied no matter what layout 


is used. 

m Ensure that every subject has a summary. 

m Use a summary (topic policy) to introduce the topic to the reader and 
outline the scope and obiectives of the procedure. 

m Present policy and/or background information such as why a procedure 
is to be carried out and who is responsible for carrying it out. 

m Use brief paragraphs. 

m Keep your words and sentences brief and simple, as well as paragraphs. 

m Keep subjects brief. 


Writing Procedures 89 


6.6.1 


Do only one procedure per procedure. 

Write only to the audience concerned. 

Know to whom you are writing and use them as a focus group. 
Cross-reference only when necessary (cross-referencing will increase 
the need to monitor other sources to keep the procedures current). 
Include detail (the inclusion of detail does not contradict the require- 
ment to be brief. 

Be avvare that one of the most consistent problems vvith procedures is 
the tendency to leave out details. 


Headline 


A headline style is a title line placed above the text. It is usually printed in 
bold and briefly summarizes or suggests the content of the text that follovvs 
(like a newspaper). See Exhibit 3 for samples of various sorts of headlines. 


Exhibit 3 Example of Headline Style 


PS:PME PROCESS 


0. 


Project Initiation 
0.1. Conduct project definition and confirmation meeting with customer 
0.2. Develop documentation 
0.3. Present findings and obtain approval of SOW 
04. Develop Engagement Agreement 
0.5. Develop Non-Disclosure Agreement 
Pre-Site Visit to Outline Expectations and Security Requirements 
1.1. Determine project ownership 
1.2. Determine client/s expectations 
1.3. Define project scope 
1.3.1. Scope statement 
1.3.2. Scope verification 
1.3.3. Scope change control 
1.4. Define project approach 
1.4.1. Define proyect milestones 
1.4.2. Define project schedule 
1.4.3. Define project deliverables 
1.5. Define profect organization 
1.6. Define project constraints 
17.7. Define project assumptions 
1.8. Define project risks 
1.9. Define quantifiable project success criteria 
1.10. Develop and submit Project Charter 
1.11. Obtain client approval of Project Charter 
Facilitated Site Visit to Gather Data 
2.1. Identify existing security policy and procedure documentation 
2.2. Determine existing security policy hierarchy/definitions 
(continued) 


90 Information Security Policies, Procedures, and Standards 


Exhibit3 Example of Headline Style (continued) 


2.3. Identify existing corporate policy development/maintenance process 
2.4. Evaluate organizational security culture 
2.5. Determine Requirements 
2.5.1. Regulatory 
2.5.2. Legal requirements 
2.5.3. Contractual 
2.5.4. Business 
2.6. Identify policy responsibilities 
2.6.1. Development 
2.6.2. Revievv 
2.6.3. Approval 
2.6.4. Communication 
2.6.5. Implementation 
2.6.6. Compliance Monitoring 
2.6.7. Exception Approval 
2.6.8. Maintenance 
2.6.9. Avvareness 
2.7. Collect documentation 
2.7.1. Incident reports 
2.7.2. Risk assessments 
2.7.3. Audit reports 
2.7.4. Organization charts 
2.7.5. Security avvareness materials 
3. Planning for the Development of Policies and Procedures Documentation 
3.1. Analyze existing policies against identified policy requirements 
3.2. Conduct analysis of existing policies against leading practices (e.g., 
BS 7799) 
3.3. Document and prioritize policy shortfalls and identify policy needs 
3.4. Present interim findings to client 
3.5. Obtain client approval of findings 
3.6. Develop required documentation 
4. Documentation Review by Client 
4.1. Provide draft policy and procedure documentation to the client for 
revievv 
4.2. Establish revievv process 
4.2.1. Establish Review Panel composition 
4.2.2. Validate revievv responsibilities 
4.2.3. Validate revievv schedule 
4.3. Assist client vvith revievv sessions 
4.4. Coordinate vvith client to keep revievv on schedule 
4.5. Address comments received from client revievvers 
5. Formal Presentation of Engagement Deliverables 
5.1. Prepare final deliverable by updating draft deliverable to incorporate 
validated revievver comments 
5.2. Obtain client sign-off and approval 


Writing Procedures 91 


Pros: 
m 'The procedure is divided into organized blocks of data. 
Cons: 


m The procedure is meant to be read from beginning to end. 
m The headline is used to grab the reader s eye and not as a means of retrieval. 


6.6.2 Caption 


Captions are key words that appear in the left margin of the page and that 
highlight or describe the blocks of text opposite them. See Exhibit 4 for 
examples of captions. 

Pros: 


Simple layout 

Easy to read 

Easy to retrieve information 

Can be used for almost any subject 
Can be mixed with other styles 


Cons: 


m Writers tend to overuse 
m Should not be used for describing sequenced actions 
m Sometimes difficult to organize material into meaningful order 


This style is used best for descriptive text that answers all writing questions: 
who, what, when, where, why. Examples of subject matter that lends itself 
to caption best include: 


m Policy statements 
m Responsibility statements 


m Descriptions of forms, reports, or equipment 


Exhibit4 Example of Caption Style 


Hiring Responsibilities 
Systems: The Supervisor is responsible for: 
M Fecommending a candidate 
M Obtaining approval to hire from the manager 
M Notifying Human Resources 
Human Resources: The Hiring Officer is responsible for: 
M Making the job offer, in accordance with company policy 
M Induction and orientation intervievvs 


92 Information Security Policies, Procedures, and Standards 


6.6.3 Matrix 


A matrix is a chart that lists related constants and variables (or independent 
and dependent variables) on horizontal and vertical axes. At the intersection 
of lines drawn from each axis may be found such information as: 


m Relationship between constants and variables 
m Actions to be performed depending on variables or conditions 


Pros: 


m Data is presented in a simple and logical order. 

m Repetitive information is eliminated. 

m A one-page matrix may replace many pages of text. 
m Retrieval time and reading time are saved. 


Cons: 


m Maintaining data can be time-consuming. 
m Tnitial setup can also take time. 


Exhibit 5 shows an example of a matrix. 


6.6.4 Narrative 


Narrative procedure style presents information in paragraph format. It pre- 
sents the process in a conversational or narrative form. This method does 
not present the user with easy-to-follovv steps; rather, it requires the user to 
read the entire paragraph to find out what is expected. This method is 
recommended for such items as policy statements, company philosophy, or 
background material, 

Exhibit 6 shovvs an example of the narrative form of procedure vvriting. 
Note hovv all of the information that the user vvill need is presented. The 
discussion flovvs through a logical progression of the steps to be follovved. 

Pros: 


m Written in the manner people speak 
m Very thorough 


Cons: 


m Too difficult to use 
m Reader cannot retrieve information quickly 


The narrative style lets users knovv hovv to do something by telling them 
a story. For some, this is the method that is easiest to understand. Hovvever, 
for most, the narrative style is too long. 


93 


Writing Procedures 


sjuəuiəuinbəi |eioəds oN 
ÁAueduioo əpisıno pue 
uIU1A Ə|qe|ieAe Á||e1ƏuəS 

!syuəuiəuiinbəiu |ei59əds oN 
uonoənua)səp 

ysure3e pəinəəs 4d02 1Ə]seW 


sjuəuiəuinbəi |eioəds oN 


sjuəuuəuinbəi |eioəds oN 


s)uəuuəuinbəu |ei5əds oN 
əSed 


Əh 40 4ƏAO2 UO ,ƏlTand, 
pəyeuu əq Apul Juəuinooq 


3!Iqnd 


Állenuup 1seə| 3E AƏIAƏ1 
O) 1AƏuAO UOHEULO)Uİ 
Ə|qe|!eAe Á|ƏDIA 
A/leqəuə8 “sə|ni ssə525e 
14əsn səusilqe)sə iSUAO 
uonən.nsəp 3sule3e 
pə.nəəs Adoə 1əƏ]seW 
uonən.nsəp 
qeərsAqd pəllonuo?) 


1ƏUAAO uoOl)euuOJu! 
Aq pəulusəş)əp 
sjuəuiəuinbəi Sulleyy 
A/uo səsodınd 
ssəulsnq so) uonpərdnq 


sjuəuuiəuinbəiu ferxəds oN 
əsfi Ieuaəlul 


(iAeƏÁ Əuo pəəəxə o) 1)ou) Ə]ep AƏIAƏ1 
31Ji9Əds usi|qe1sƏ O) iƏuAO UOHPULOXUİ 


pəyənsəl Á|u8iu A/lerəuəs 
!sə|ni ssəoəe səsn səusilqe3sə iS9uAO 


Əsn ul şou uəuA dn pəyəo7 

1ƏAO2Ə91 O) Aiıllıqe puo/Aəq 
uononi1səp feorsAqd pəAHƏSQO 4ƏUAAO 
1ƏUAAO uolneuuoJul JO uO1)Ə13SIp 1° 
ydləəəl Jo uoneuujJuo2 3ƏəƏus 1ƏAOƏ? uo 


Suneui AVI LN3GId4NOO,, “ədoləAuə 
|Jeu4ə)xə uo Sunjieui uo!jo31Jisse|9 ON 


SsuolIssiuuəd 
Əuiui4Ə)]əp o) 2ƏUAAO uoOl!)euulOJu| 
ə8ed ənn 
40 4ƏAO2 UO ,1VILN3dIHNOO,, pəyeuu 
Əq pue səuAO Ainuəpi pinoqs Juəuinooq 
yenuəpuuo? 


İƏAƏ) uone3iJisse|3 
)uəuinno2op JO AƏVAƏN 


siuəuinəop 
O) ssə22e ppəgu 
sjuəuinoop 

JO əSe4o3$ 
Sıuəulnəop 
JO qesodsıq 


siyuəuinnoop 
JO Sullleyy 
sjuəuinəop 
JO uont3i|dnc] 


sluəuinoop 
yo Surəqey 


əl/)s xi)eW yo əqdurexa c şiqluxq 


94 Information Security Policies, Procedures, and Standards 


Exhibit6 Example of Narrative Style 


TOKEN CARDS 

Intent: 

Secure remote access. To identify and authenticate an authorized system user using 
a SecurID that requires a memorized personal identification number (PIN) and 
something that is unique to the user who possesses the SecurID token. 


Scope: 
The following procedures provide direction on the proper use of the SecurlD and 
procedures for remote log-ins. 


Responsibilities: 

Management: 

ISSO keeps track of when cards are scheduled to expire and will notify you and 
arrange for a replacement card in advance so that your access privileges will not 
be interrupted. Access control remains in the hands of management. 


Users: 

IN Are responsible for the safekeeping and protection of their SecurIlD card 

M Are responsible for ensuring that their SecurID card is not used by any other 
individual 

M Are responsible for immediately informing (the appropriate institutional 
personnel) vvhen a card is lost or misplaced so that it can be de-activated 


Sequence of Events: 

Application for SecurID 

First-time use and PIN change procedure 
Log-on procedure 

Next code procedure 

Activating a replacement SecurID card 


ür zə sona 


Approvals: 
M Approval of immediate supervisor for SecurID 
M Approval of ISSO for SecurlD 


Prerequisites: 

M Get approval to use a SecurID 

M Get procedure for access 

Mi Load software on vvorkstation 

M Must have SecurID card available for remote log-ins 


Request for Secur1D 


Requestor IM Complete template for SecurID 
IM Forward to Supervisor for approval 
Supervisor M Approve template for SecurID and forward to IP account 


administration 


Writing Procedures 95 


Exhibit 6 Example of Narrative Style (continued) 


IP Account İM Process SecurID request 
Administration IB Provide requestor with SecurID Card 
İM Associated software for remote system access 
Requestor M Load necessary software for remote access 
IM Activate SecurID card 

Definitions: 
Access A specific type of interaction betvveen a subiect and an obiect that results 
in the flovv of information from one to the other. The capability and opportunity 
to gain knovvledge of, or to alter information or materials, including the ability and 
means to communicate with (i.e., input or receive output) or otherwise make use 
Of any information, resource, or component in a computer system. 
Access Control The process of limiting access to the resources of a system to only 
authorized persons, programs, processes, or other systems. Synonymous vvith 
controlled access and limited access. Requires that access to information resources be 
controlled by or for the target system. In the context of network security, access control 
is the ability to limit and control the access to host systems and applications via 
communications links. To achieve this control, each entity trying to gain access must 
first be identified, or authenticated, so that access rights can be tailored to the individual. 
Authenticate/Authentication The process to verify the identity of a user, device, or 
other entity in a computer system, often as a prerequisite to allovving access to 
resources in a system. A process used to verify that the origin of transmitted data 
is correctly identified, vvith assurance that the identity is not false. To establish the 
validity of a claimed identity. 
Authenticated User A user vvho has accessed the Company system vvith a valid 
identifier and authentication combination. 
Authorization The privileges and permissions granted to an individual by a 
designated official to access or use a program, process, information, or system. 
These privileges are based on the individualSs approval and need-to-knovv. 
Authorized Person A person vvho has the need-to-knovv sensitive information in 
the performance of official duties and vvho has been granted authorized access at 
the required level. The responsibility for determining vvhether a prospective 
recipient is an authorized person rests vvith the person vvho has possession, 
knovvledge, or control of the sensitive information involved, and not vvith the 
prospective recipient. 
Cardcode The cardcode is the six-digit number displayed on a SecurID card. 
Computer Security Technological and managerial procedures applied to the 
Company systems to ensure the availability, integrity, and confidentiality of 
information managed by the Company. 
Confidentiality The condition vvhen designated information collected for approved 
purposes is not disseminated beyond a community of authorized personnel,. It is 
distinguished from secrecy, vvhich results from the intentional concealment or 
withholding of information. Confidentiality refers to: (1) how data will be 
maintained and used by the organization that collected it, (2) what further uses will 
be made of it, and (3) when individuals will be required to consent to such uses. 
It includes the protection of data from passive attacks and requires that the 
information (in the Company system or transmitted) be accessible only for reading 
by authorized parties. Access can include printing, displaying, and other forms of 
disclosure, including simply revealing the existence of an object. 

(continued) 


96 Information Security Policies, Procedures, and Standards 


Exhibit 6 Example of Narrative Style (continued) 


Data A representation of facts, concepts, information, or instructions suitable for 
communication, interpretation, or processing. İt is used as a plural noun meaning 
“facts or information” as in: These data are described fully in the appendix, or as 
a singular mass noun meaning “information” as in: The data is entered into the 
computer. [Random House VVebster/s College Dictionary, 19941 

Data Integrity The state that exists when computerized data are the same as those 
that are in the source documents and have not been exposed to accidental or 
malicious alterations or destruction. It requires that the Company systems assets 
and transmitted information be capable of modification only by authorized parties. 
Modification includes writing, changing, changing status, deleting, creating, and 
the delaying or replaying of transmitted messages. See also: Integrity. 

Denial of Service The prevention of authorized access to resources or the delaying 
of time-critical operations. Refers to the inability of the Company system or any 
essential part to perform its designated mission, either by loss of or by degradation 
of operational capability. 

Discretionary Access Control (DAC) A means of restricting access to objects based 
onthe identity of subjects and/or groups to which they belong or on the possession 
of an authorization granting access to those objects. The controls are discretionary 
in the sense that a subject with certain access permission is capable of passing that 
permission (perhaps indirectly) onto any other subject. 

Information Security The protection of information systems against unauthorized 
access to or modification of information, whether in storage, processing, or transit, 
and against the denial of service to authorized users or the provision of service to 
unauthorized users, including those measures necessary to detect, document, and 
counter such threats. 

Information Systems Security (INFOSEC) The protection of information assets from 
unauthorized access to or modification of information, whether in storage, 
processing, or transit, and against the denial of service to authorized users or the 
provision of service to unauthorized users, including those measures necessary to 
detect, document, and counter such threats. INFOSEC reflects the concept of the 
totality of the Company system security. 

Identification The process that enables recognition of an entity by a system, 
generally by the use of unique machine-readable user names. 

Information System Security Officer (ISSO) The person responsible to the DAA for 
ensuring that security is provided for and implemented throughout the life cycle 
ofa Company system from the beginning of the system concept development phase 
through its design, development, operations, maintenance, and disposal. 
Integrity A sub-goal of computer security which ensures that (1) data is a proper 
representation of information; (2) data retains its original level of accuracy; 3) data 
remains in a sound, unimpaired, or perfect condition; (3) the Company systems 
perform correct processing operations; and (4) the computerized data faithfully 
represents that in the source documents and has not been exposed to accidental 
or malicious alteration or destruction. 

Need-to-Know A determination by the owner of sensitive information that a 
prospective recipient has a requirement for access to, knowledge of, or possession 
ofthe information in orderto perform tasks or services essential to carry out official 
duties. 


Writing Procedures 97 


Exhibit 6 Example of Narrative Style (continued) 


Network A communications medium and all components attached to that medium 
whose responsibility is the transference of information. Such components may 
include The Company systems, packet switches, telecommunications controllers, 
key distribution centers, and technical control devices. 

Network Security Protection of networks and their services from unauthorized 
modification, destruction, or disclosure, and the provision of assurance that the 
network performs its critical functions correctly and there are no harmful side effects. 
Passcode The passcode is your PIN followed by your cardcode with no spaces. For 
example, if the number displayed on your card (your cardcode) is 444678 and your 
PIN is 1234, then your passcode is 1234444678. 

Password A protected and private character string used to authenticate the 
Company systems user. 

PIN The PIN is your personal identification number. It is initially set to a four-digit 
number. 

Security Dynamics [SecurID] A network access security system developed by 
Security Dynamics, Inc. (SDI). SecurID sits between the incoming modem and the 
remote access server that provides access to the network; when a dial-in client calls 
in to the network, the user must first enter the correct SecurID information before 
connecting to the remote access server. The SecurID card is a credit-card-sized 
token that lets authorized users access protected computer systems. It consists of 
a microprocessor that calculates and displays a cardcode. The cardcode is, in 
essence, your password. The cardcode changes unpredictably at specified intervals, 
typically between 30 and 60 seconds. 

Security Dynamics [ACE/Server] Security Dynamics ACE/Server is a system of server 
and client software and SecurID cards. Once enabled, SecurID authentication is 
used for the following protocols: IP, IPX, NetBEUI, LLC, and ARA. 

Security Policy The set of laws, rules, directives, and practices that regulate how an 
organization manages, protects, and distributes controlled information. 


Equipment Required: 
M ACE/Server 
M SecurID 


VVarnings: 

The SecurID card is rugged enough to withstand reasonably adverse conditions. 

Hovvever, the card is an electronic device and should be handled vvith care. 

M DO NOT immerse the card in vvater or get it vvet. 

M DO NOT let it be exposed to temperature extremes (temperatures colder than 
—5°F or hotter than 120"F, nor to sustained temperatures above 90PPF). 

M DO NOT subiect it to excessive (i.e., dangerous to people) electric or 
electromagnetic activity, including such radiation as microvvaves, x-rays, or 
electrostatic shock. 

M DO NOT drop it on a hard surface, bend, or otherwise stress it excessively. In 
particular, do not carry it in a pants pocket or put it in a vvallet carried in a back 
pocket. The cardcode display area of the card is an LCD (liquid crystal display) 
screen and is made of glass that can be damaged by too much pressure, such 
as vvhen sitting dovvn. 


(continued) 


98 


Information Security Policies, Procedures, and Standards 


Exhibit 6 Example of Narrative Style (continued) 


DO NOT write on or stick anything to the card. 
DO NOT use a pen or any other sharp object to press the PIN keys on the card. 
This vvill permanently damage the card. 


Precautions: 
The SecurID card is a sophisticated microprocessor and is costly to replace. You 
are responsible for the card issued to you. 


DO NOT lend your SecuriD card to anyone else. 
NEVER leave your SecurID card on your desk or next to your personal computer 
vvhere it can be taken or used by someone else. VVhen you are not using the 
card, put it back in its protective jacket. Carry it with you or lock it in your desk 
dravver or a filing cabinet for safekeeping. 
Your SecurID card has a Personal Identification Number (PIN) associated with 
it. The PIN is confidential and should not be divulged or shared vvith anyone 
else. Treat your SecurID PIN like you treat the PIN for your credit and bank 
cards. Sharing a PIN is against the Company information security policy and may 
lead to disciplinary action. 
Your PIN must be between four and six digits long. You cannot use alphabetic 
or special characters as part of your PIN. Longer PINs are more secure and 
therefore a six-digit PIN is recommended. 
PINs may not start vvith a zero, but a zero may be used in any other position. 
Pick a PIN that is easy for you to remember but hard from someone else to guess. 
If you feel someone knows your PIN, contact your department Access Control 
Representative right avvay and your PIN vvill be reset for you. 
DO NOT write down the PIN and, more importantly, do not write the PIN on 
the card. 
If you forget your PIN, contact your department Access Control Representative 
and your PIN will be reset for you. 
DO NOT use obvious, trivial, or predictable PINs. Examples of bad PINs include: 

Your birth date 

Your homevoffice telephone number or parts thereof 

Your Company or home street number or your office room number 

PINs using numbers in sequence such as 1234, 3456, 4321, etc. 

PINs using repetitive numbers 


Procedure Body: 

First-Time Use and PIN Change Procedure 

The first time you use your SecurID card and whenever your Personal Identification 
Number (PIN) is reset, you must register your SecurID card on the system. 


When you first access the system, the LOGON screen is displayed. 
Enter your User ID and press the TAB key. Do not press the Enter key at this time. 
Enter the Card Serial Number (see example belovv) printed on the back of your 
SecurlD card, followed by a Forward slash “/” and the cardcode displayed on 
your SecurlD LCD screen. 
Example: 
If the serial number of your card is 03103144 and the cardcode displayed on 
your card is 582984, enter 03103144/582984 in the passcode field. 


Writing Procedures 99 


Exhibit 6 Example of Narrative Style (continued) 


Do not enter any spaces between the card serial number, the forward slash, and 
the cardcode. 

Press the Enter key. 

The system displays the “ENTER NEW USER DEFINED PIN” screen. 

Choose a PIN (For more information refer to The Personal Identification Number 
(PIN) section.) 

Enter the PIN you have chosen. 

Press the Enter key. 

The system displays the “RETYPE TO CONFIRM:” screen. 

Reenter the PIN you have chosen to confirm that you have entered it correctly 
the first time. 

Press the Enter key. 

The system displays the log-on screen one more time. 

Proceed to the Log-on Procedure. 


Log-on Procedure 


M The system displays the log-on screen vvhen you first access the system. 

M Enter your User ID. 

M Press the TAB key. Be careful not to start entering the cardcode before pressing 
the * key. Do not press the Enter key at this time. 

M Enter your PIN into the SecurID card PIN pad and then press the Diamond 
Symbol to display the cardcode. 

M Enter the six-digit cardcode displayed on your SecurID card LCD screen in the 
passcode field. 

M Now press the Enter key. 


If you enter the information incorrectly, the system will not approve your access. Try 
again. You have five chances to enter the correct information. If for some reason you 
are not able to enter the right information after ten attempts, your SecurID card will 
be suspended by the system. This is for security reasons. If this happens, contact 

your Access Control Representative immediately so that your card can be reactivated. 


Once you enter a valid passcode, the system may display the “CARDCODE 
APPROVED” message. 


The system novv displays your Menu screen. 


For security reasons, once accepted, a SecurID cardcode cannot be reused. If you 
log out and try to log in again before the cardcode changes, you vvill not succeed 
the second time. Wait until the cardcode changes before trying again. 


Next Code Procedure 

On occasion after you have entered your cardcode correctly, the system may ask 
you to enter the next cardcode that is displayed on the LCD screen of your SecurID 
card. This occurs either when your card has not been used for a few weeks or if 
you had several failed attempts prior to a successful log-in. 


(continued) 


100 Information Security Policies, Procedures, and Standards 


Exhibit 6 Example of Narrative Style (continued) 


When this happens, the system displays the “NEXT CODE” screen. 
Wait until the next cardcode is displayed and then enters it. 

Press the Enter key. 

The system now displays your Menu screen. 


ss toz IS: Ae 


Activating a Replacement SecurlD Card 

When your SecurID card expires or if you damage or lose your SecurID card, 
Computer Security Administration vvill issue a replacement card. The replacement 
card must be activated before it can be used to access the system(s) you are 
authorized for. 


Activating Your Replacement SecurlD Card 

Your replacement card is reactivated automatically by the SecurID system. Follow 
the same procedure you use vvhen logging in. The system vvill remember the PIN 
you used on your previous card. 


6.6.5 HFlovvchart 


Flovvcharts are pictorial representations in which symbols are used to depict 
persons, places, actions, functions, or equipment. They give the user a diagram 
of the decision-making process and vvhat is expected at each step. 

Flovvcharts are best used when providing the user with an overview of 
what the process is going to be. The flovvchart will help users understand 
their portion of the procedure. They vvill be able to see vvhere decisions are 
to be made and what direction to take based on the decision. It will be 
necessary to have a key to ensure that the user understands vvhat the flovvchart 
symbols mean. 

The flovvchart procedure style should be considered a supplement to the 
actual procedure text. This process of laying out the procedure in a flovvchart 
is actually beneficial to the writer of the procedure. By developing a decision 
flovv process, the procedure vvriter vvill have a better chance of developing a 
logical and correct procedure. 

Pros: 


m It is easy to read. 
m Technical types are familiar with the style. 


Cons: 
m Nontechnical types do not like flovvcharts. 


An example of a flovvchart-type policy might include the narrative and 
then the actual flovvchart, as shown in Exhibit 7. 


Writing Procedures 101 


Exhibit 7 Example of Flowchart Style 


Levels of ROOT Exposure 

An individual may obtain a ROOT (or systems administration) level account, 
depending upon the user's work assignment. Securing a ROOT account requires 
the approval of a level B Information Systems Manager, with subordinate approval 
as well. 


If a user is part of the System Administration Staff, the user may be granted access 
via the System Administration or Root group, depending upon the platform being 
utilized. Users who are Department System Administrators may be granted 
department administrator access. Any user vvho is a VVorkgroup Administrator may 
be granted VVorkgroup Administrator access. Users vvho are proyect administrators 
may be granted access as necessary, depending upon the profect. Any user-initiated 
root request vvill be denied root access. 


Definitions (Levels of Root Access): 

System Administrator or Root Access Full access to all computer resources. 
Department System Administrator Access Full access to all computer resources 
available to the specific department. 

VVorkgroup Administrator Access Full access to all computer resources available 
to the specific vvorkgroup. 

Project Administrator Access Access will be determined on a proyect-by-profect 
basis and limited to only those areas necessary to satisfy the requirements of the 
project. 


All user IDs with any ROOT level access will be added to the audit log functions 
and Security will be notified to monitor all ROOT access IDs. 


Any violations or abuses of a ROOT level access must be reported to Security 
Management (e-mail notification or security incident form) and to the MIS 
Department (security incident form). 


6.6.6 Playscript 


For anyone vvho has ever been in a play or has had the opportunity to 
read a play in a literature class, this style vvill be familiar. The process 
identifles each of the main participants, the actual commands to be entered, 
and any direction needed to complete the process. Exhibit 8 gives an 
example of this. 

The playscript identifies each individual involved in the procedure. Each 
step involved in the procedure is described in detail and when each step is 
to be executed. The playscript is easy to understand and the language used 
eliminates unnecessary vvords (adiectives and adverbs). Keep the sentences 
to the point, remember that you are vvriting procedure, not the great American 
novel. A typical statement might be “sign and date forms” or “forward form 
1040A to supervisor.” 


102 Information Security Policies, Procedures, and Standards 


Exhibit 8 Example of Playscript Style 


Submitting Papers for Public 
Employees: 
I. Shall submit to their manager 
A. Information about the conference, journal, magazine, etc. where the 
information will be submitted for potential presentation. 
B. The submission guidelines of the conference, journal, magazine, etc. where 
the information will be presented. 
C. An abstract of the presentation, article, or white paper that will be published 
or presented. 
D. A writing and research timeline. 


The Manager will then: 
5. Approve the presentation, white paper, or article. 
6. Not approve the presentation, white paper, or article. — Stop. 


The Employee will then: 

Submit the abstract to conference. 

Begin writing white paper or article. 

Begin any required research. 

Provide brief updates to manager when each part of timeline is completed. 
Ensure presentation, white paper, or article complies with the Information 
Protection policy. 

6. Ifsubmitting to a conference, receive presentation acceptance. If declined — Stop 
7. Submit final paper or presentation to manager for final approval. 


ga ia 


Manager will then: 
1. Give final approval 
2. Decline — Stop 


Employee: 

1. Submit article or white paper to journal or magazine, etc. 

2. Receive acceptance from magazine or journal or they decline. — Stop 
3. Give presentation at conference. 


Stop 


In the playscript style it is best to describe only one function in any one 
step. As part of the definition section of the procedure, define the key 
participants in the procedure and use a form of shorthand to call out that 
participant. For example, instead of having to identify the Corporate Informa- 
tion Officer, use CIO. For the Manager of Information Systems, Operation, 
and Quality Assurance, you may vvant to shorten this title to Manager. The 
key here is to keep it simple, but eliminate any confusion. 

Another variation on the playscript style of procedure writing is the £7ree 
style (see Exhibit 9). This uses the same basic layout as the playscript, but it 
allovvs the user to drill dovvn to each of the steps identifted. 


Writing Procedures 103 


Exhibit9 Example of Tree Style 


Employee Standards of Conduct 
Intent: The intent is to define standard procedures for employee conduct. 


Scope: The procedure will outline acceptable and unacceptable behavior for all 
employees of the Company. 


Responsibilities: It is the responsibility of management to ensure a just and 
fair environment for all employees. It is the responsibility of the employee to 
avoid conflicts of interest, report misconduct, and follow all standards of 
conduct. 


Sequence of Events: A grievance, misconduct, or question regarding a conflict-of- 
interest situation must arise. 


Approvals: The termination of an employee must have final approval from senior 
management. 


Prerequisites: None 


Definitions: 
Employee: Any person compensated for services rendered by The Company. 
General Auditor: Person who is responsible for advising in and investigating 
all reported misconduct and violations of standards of conduct. 
Immediate Family Member: As defined by the Internal Revenue Code of the 
United States. 
Insider Information: Nonpublic information. 


[Equipment Required:1 
M Information Protection policy 
M Conflict of Interest policy 


VVarnings: None 
Precautions: None 


Procedure Body: 

Standards of Conduct 

Employees 

1. Shall act in an ethical manner, and shall avoid actions that have the appearance 
of being unethical 

2. Shall abide by applicable lavvs, regulations, and professional standards 

3. Shall avoid conflict of interest situations (see Conflict of Interest policy for more 
information) 

4. Shall meet individual performance expectations 

5. Shall abide by company and organizational policies and practices 


(continued) 


104 


Information Security Policies, Procedures, and Standards 


Exhibit 9 Example of Tree Style (continued) 


6. Shall accurately and honestly record and report corporate information, 
employees shall also maintain the confidentiality of corporate information (see 
Information Protection policy) 

Z. Shall treat co-workers and others with dignity and respect 


Employees 


1. Are expected to use 
intelligence, common 
sense, and good judgment 
in applying these 
standards of conduct. 


2. When in doubt shall 
direct questions relating to 
the standards of conduct 
to their managers. 


Manager 


3. Those who observe 
conduct that does not 
appear consistent with 
these standards of 
conduct should discuss 
the matter with their 
managers. However, 
employees who feel 
uncomfortable reporting 
to their managers, or who 
are not satisfied with the 
action taken, rather than 
letting the matter drop, 
should seek the counsel 
of the General Auditor. 


1.Take reports of Standard 
of Conduct violations, or 
suspected violations, 
from employees. 


Employees who feel that 
they have been the subject 
of a violation of the 
standards of conduct 
should immediately report 
the matter to their manager 
or to the Vice President of 
Human Resources. 


2. Report fraudulent 
activity to the General 
Auditor, in the Risk 
Management Office. 


General Auditor 


3. İnvestigate all 
complaints in as discreet 
a fashion as possible. 


Take reports offraudulent 
activity from Managers. 


4. Take action vvhere 
appropriate, once the 


investigation is complete. 


İnvestigate all complaints 
in as discreet a fashion as 
possible. 


5. Provide appropriate 
feedback to those vvho 
report misconduct. 


Take action vvhere 
appropriate, once 
investigation is complete 


Provide appropriate 
feedback to those vvho 
report misconduct. 


Writing Procedures 105 


Exhibit 9 Example of Tree Style (continued) 


Vice President of Human Resources 

1. Take reports of possible standards of conduct violations from employees. 
2. Investigate all complaints in as discreet a fashion as possible. 

3. Take action where appropriate, once investigation is complete 

4. Provide appropriate feedback to those who report misconduct. 


The Corporation 

1. Will not retaliate against any employee who reports suspected misconduct. 

2. Shall provide or select legal counsel and indemnify any employee who becomes 
involved in a legal matter arising out of employment vvith the Company, if, in 
the opinion of the General Counsel, the employee vvas acting in good faith, 
within the scope of the job responsibilities, and legal counsel or indemnification 
is not othervvise available to the employee. 


6.7 Creating a Procedure 


After the SME has been intervievved, vvrite the procedure and then send it to 
both the SME and the SME backup. Have them review and edit the procedure. 
Take the edits and incorporate them into the procedure and then publish the 
procedure. There is no need for additional rounds of reviews. When vvriting 
the procedure, remember the follovving: 


m Establish a small, knovvledgeable initial review panel, 

m Do not create all the procedures by yourself. Seek out personnel in 
areas affected by the controls and gain their expertise and assistance 
in this process. 

m Be certain that the procedures resemble the procedures currently being 
used in your organization. 

m 'Try to get on the agenda of the IS Steering Committee to present your 
program and solicit the support of the committee. 

m Whenever possible, accept and implement the comments created by 
the reviewers. At the very least, contact the reviewer and explain why 
the comments could not be included. 

m If there appears to be a conflict, set up a meeting, at the respondent's 
location if possible, to resolve the problem. 

m Be persistent. You are going to have to keep after the reviewers to get 
their responses. 


6.8 Summary 


When writing procedures, it is best to keep the language as simple as possible. 
Attempt to stay away from flovvery phrases and multi-syllable words. Keep 
the sentences short and the terms crisp. Identify what each role is in the 
procedure and find the style that best meets the needs of your organization. 


106 Information Security Policies, Procedures, and Standards 


In this chapter we have reviewed the definitions of policy, procedure, 
standard, and guideline. The writing “Ten Commandments” were discussed. 
We then examined the procedure key elements: 


Identify the procedure need. 
Identify the target audience. 
Establish the scope of the procedure. 
Describe the intent of the procedure. 


We then examined a procedure twelve-point checklist and the six styles 
of procedures: 


Headline 
Caption 
Matrix 
Narrative 
Flowchart 
Playscript 


QOYAR a bı 


Chapter 7 


Information Classification 


This chapter is devoted to addressing a specific topic, information classifi- 
cation, and what the policies for this topic might look like. Included in the 
text is a formal discussion on each of the classifications and examples of 
existing policy statements. We critique these policies and establish the 
framework for the development of such a policy for any organization. We 
examine what constitutes confidential information, employee responsibilities, 
an example of an information handling matrix, and an information classifi- 
cation methodology. 


7.1 Introduction 


Information is an asset and the property of the organization. All employees 
are to protect information from unauthorized access, modification, disclosure, 
and destruction. Before employees can be expected to protect information, 
they must first understand their responsibility. An information classification 
policy and methodology will provide them with the help they need. 

There are four essential aspects of information classification: (1) information 
classification from a legal standpoint, (2) responsibility for care and control 
of information, (3) integrity of the information, and (4) the criticality of the 
information and systems processing the information. Examples of hovv the 
classification process fits into the application and system development life 
cycle are presented to assist you in the development of your own information 
classification process. 


7.2 VVhy Classify Information 


Organizations classify information to establish the appropriate levels of pro- 
tection for those resources. Because resources are limited, it will be necessary 


107 


108 Information Security Policies, Procedures, and Standards 


100% of All Enterprise Information 


80% 10% 
Internal Use Confidential 
Information Information 


Exhibit 1 Information Classification Breakdown 


to prioritize and identify what really needs protection. One of the reasons to 
classify information is to ensure that scarce resources be allocated where they 
will do the most good. All information is created equally, but not all information 
is of equal value (Exhibit 1). 

The old concept in computer security was that everything is closed until 
it is opened. However, after nearly 20 years of working with companies in 
establishing information classification systems, I have found that nearly 90 
percent of all enterprise information needs to be accessed by employees or 
is available through public forums. Because resources are limited, the concept 
that all information is open until it requires closing is perhaps a better vvay 
Of protecting information. 

Most organizations do not have information that is all of the same value. 
Therefore, it is necessary at least to develop an initial high-level attempt at 
classification. This should be done, if for no other reason than to ensure that 
budgeted resources are not misused in protecting or not protecting information 
assets. Before employees can protect information assets, they must first have 
a mechanism in place that allovvs them to establish the value of the information. 
An information classification system and a scoring methodology that relies on 
common sense and a knovvledge of the corporate culture and market sensitivity 
can be a significant advantage in most organizations. 


7.3 What ls Information Classification? 


An information classification process is a business decision process. When 
developing a system for your organization, it vvill be necessary to limit the 
role of the security professionals and the computer technicians. The profect 
to develop an information classification system is one in vvhich the business 
side of the enterprise must take an active role. 


Information Classification 109 


Exhibit 2 Fortune 500 Managers Rate Information Importance 


Deloitte & Touche Ernst & Young 
Availability 1 2 
Confidentiality 3 3 
Integrity 2 1 


In a recent pair of surveys (Exhibit 2), the Big Four accounting firms of 
Ernst & Young and Deloitte & Touche interviewed Fortune 500 managers 
and asked them to rank in importance to them information availability, 
confidentiality, and integrity. As can De seen from the results, the managers 
responded that information needed to be available when they needed to 
have access to it. Implementing access control packages that rendered access 
difficult or overly restrictive is a detriment to the business process. Addition- 
ally, other managers felt that the information must reflect the real world. That 
is, controls should be in place to ensure that the information was correct. 
Preventing or controlling access to information that was incorrect was of little 
value to the enterprise. 


7.4 Fstablish a Team 


Because the establishment of an information classification system and policy 
is a business function, it vvill be necessary to create a team for this profect. 
It is recommended that there be two teams: a core group made up of three 
to five members and a support team. The support team should consist of 
members from each of the major user departments or groups. The core group 
will be responsible for actually drafting the information classification policy. 
This vvill be accomplished after intervievving each of the user departments 
and determining their needs. 

The support team will be used for two vital elements in this process. It 
will review and critique the information classification policy and it will assist 
in the sale of the policy to management. To be effective, the policy vvill have 
to be accepted by all members of management. To be accepted, it vvill be 
necessary to sell this product to each of the managers based on each individual 
needs and business obiectives. Using the support team members, you vvill be 
able to determine what each manager is expecting. Once the draft policy has 
been reviewed by the support team (probably twice) and its comments 
addressed, it is strongly recommended that a meeting with key management 
personnel be set up. 

These meetings should be in the individual manager”s office and should 
have one or tvvo representatives from the core group and the support team 
member from the policy development team. The obiective of this session is 
to explain quickly vvhat the policy is about, hovv it vvill assist the managers 
in meeting their mission, and then to ansvver any questions that they might 
have. Input from personnel from that manager”s organization vvill assist in the 
acceptance of the information classification policy. 


110 Information Security Policies, Procedures, and Standards 


7.5 Developing the Policy 


The first cut at the development process is to examine information from two 
perspectives: 


1. Semsitiuity — The need for confidentiality, integrity, and controlled 
usage; and 
2. Availability — Information that is there when it is needed. 


It may be necessary to examine examples of different kinds of information 
found vvithin the organization. Each of the support team members should be 
prepared to discuss examples of the kinds of information used vvithin the 
organization. It will be necessary to have examples from all of the organizations 
— information examples from human resources, engineering, financial, budget, 
legal, information systems, administrative records. 

As a team, examine each of the examples of corporate information and 
apply them to a scoring table like the one shown in Exhibit 3. Using the 
information gained from this process, the team should be able to establish 
classification categories and criteria for confidentiality, integrity, and avail- 
ability that: 


m Are based on the impact to the business or mission 

m Can be clearly and consistently interpreted by managers and employ- 
ees 

m Vill result in different protective actions for each category 


If the difference between two types of information is not important to the 
organization from a confidentiality or availability perspective, then do not 
include it. Make the language and the categories as simple as possible. When 
developing a category system, try the categories out on different groups of 
managers and solicit their input. It may be beneficial to conduct two or three 
brainstorming sessions to test out the category possibilities. 


Exhibit 3 Priority Matrix: Unauthorized Disclosure 


Impact to the Organization 


Priority Low Medium High 
Lovv 1 4 7 
Medium 2 5 8 
High 3 6 9 


7.6 Resist the Urge to Add Categories 


Keep the number of information classification categories to as few as possible. 
If two possible categories do not require substantially different treatment, then 
combine them. The more categories that are available, the greater the chance 


Information Classification 111 


for confusion among managers and employees. Normally, three or four cate- 
gories should be sufficient to meet the needs of your organization. 

Additionally, avoid the impulse to classify everything the same. To simplify 
the classification process, some organizations have flirted with having every- 
thing classified as confidential. The problem with this concept is that confi- 
dential information requires special handling. This would violate the concept 
of placing controls only where they are actually needed. This method would 
require the organization to vvaste limited resources protecting assets that do 
not really require that level of control. 

Another pitfall to avoid is to take the information classification categories 
developed by another enterprise and adopt them verbatim as your ovvn. Use 
the information created by other organizations to assist in the creation of a 
unique set of categories and definitions for your organization. 


7.7 What Constitutes Confidential information 


There are a number of vvays to look at information that may be classifted as 
confidential. We examine a number of statements relating to confidential 
information. The first is a general statement about sensitive information. For 
a general definition of vvhat might constitute confidential information, it may 
be sufficient to define such information as: 


Information that if disclosed could violate the privacy of individuals, 
reduce the company”s competitive advantage, or could cause damage 
to the organization 


The Economic Espionage Act of 1996 (EEA) defines “trade secret” information 
to include “all forms and types of financial, business, scientific, technical, 
economic, or engineering information” regardless of “hovv stored, complied, 
or memorialized.” The EEA has a tvvo-edged svvord: vvhile it is illegal for 
someone to steal trade secret information, the act requires that the ovvner 
must take reasonable measures to keep the information secret, and it must 
be shovvn that the information derives value from being kept secret. 

There are a number of other information classification types that you may 
have heard about over the years. Let's take just a minute to review one of 
them — copyright. 


7.7.1 Copyright 


At regular intervals, employees vvill create nevv vvork in the form of application 
programs, transactions, systems, Web sites, and so forth. To protect the 
organization from loss of created material, enterprise policies on copyright 
ovvnership must be implemented and all employees must be reminded of 
these policies on a regular basis. 

Unlike other forms of intellectual property protection, the basis for copy- 
right occurs at the creation of an original vvork. Although copyrights are 


112 Information Security Policies, Procedures, and Standards 


granted by government copyright offices, every original work has an inherent 
right to a copyright and is protected by that right even if the work is not 
published or registered. 

All original works of authorship created by employees for a company are 
the property of the company and are protected by the copyright law. The 
copyright also applies to consultants doing work for your organization while 
under a purchase order or other contractual agreement. Unless there is an 
agreement to the contrary, any work created by a contractor under contract 
to an organization is owned by the organization, not the contractor. 

The types of work that qualify for copyright protection include: 


m All types of written works 

m Computer databases and software programs (including source code, 
object code, and micro code) 

m Output Gncluding customized screens and printouts) 

m Photographs, charts, blueprints, technical drawings, and flowcharts 

m Sound recordings 


A copyright does not protect: 


m Ideas, inventions, processes, and three-dimensional designs (these are 
covered by patent law); and 
m Brands, products, or slogans (covered by trademark law). 


For confidential information, if the organization takes adequate steps (oper- 
ates in good faith) to keep confidential information secret both internally and 
externally, then if there is a breach, the organization can seek relief through 
the courts. For trade secret and competitive advantage information, there may 
be criminal penalties for individuals as vvell as organizations as vvell as civil 
penalties (see Exhibit 4). 


İnformation Classification protects the intellectual assets. 


e 


xC o 

Çə ` 

2 G S Consolidated 
S Revenue 


Exhibit 4 Typical Organization Confidential Information 


Information Classification 113 


7.8 Classification Examples 


In Exhibits 5 through 9, we examine attributes and examples of different 
classification categories. We will also present examples of organization infor- 
mation classification definitions. 


Exhibit 5 Example 1 


Information Classification 


Policy: Security classifications should be used to indicate the need and 
priorities for security protection. 

Objective: To ensure that information assets receive an appropriate level of 
protection. 

Statement: Information has varying degrees of sensitivity and criticality. Some 


items may require an additional level of security protection or special 
handling. A security classification system should be used to define 
an appropriate set of security protection levels, and to communicate 
the need for special handling measures to users. 


Exhibit6 Example 2 


Classification Requirements 

Classified data is information developed by the organization with some effort and 
some expense or investment that provides the organization with a competitive 
advantage in its relevant industry and that the organization wishes to protect from 
disclosure. 


Although defining information protection is a difficult task, four elements serve as 
the basis for a classification scheme: 

M The information must be of some value to the organization and its competitors 
so that it provides some demonstrable competitive advantage. 

The information must be the result of some minimal expense or investment by 
the organization. 

The information is somewhat unique in that it is not generally known in the 
industry or to the public or may not be readily ascertained. 

The information must be maintained as a relative secret, both within and outside 
the organization, with reasonable precautions against disclosure of the 
information. Access to such information could only result from disregarding 
established standards or from using illegal means. 


Top Secret (Secret, Highly Confidential) 

Attributes: 

M Provides the organization with a very significant competitive edge 

BN is of such a nature that unauthorized disclosure would cause severe damage to 
the organization 

M Shows specific business strategies and major directions 

IM is essential to the technical or financial success of a product 


(continued) 


114 Information Security Policies, Procedures, and Standards 


Exhibit 6 Example 2 (continued) 


Examples: 

M Specific operating plans, marketing strategies 

M Specific descriptions of unique parts or materials, technology intent statements, 
new technologies and research 

M Specific business strategies and major directions 


Confidential (Sensitive, Personal, Privileged) 

Attributes: 

M Provides the organization with a significant competitive edge 

Mi Is of such a nature that unauthorized disclosure would cause damage to the 
organization 

M Shows operational direction over extended periods of time 

IM Is extremely important to the technical or financial success of a product 


Examples: 

M Consolidated revenue, cost, profit, or other financial results 

M Operating plans, marketing strategies 

M Descriptions of unique parts or materials, technology intent statements, new 
technological studies and research 

M Market requirements, technologies, product plans, revenues 


Restricted (Internal Use) 

Attributes: 

M All business-related information requiring baseline security protection, but 
failing to meet the specified criteria for higher classification 

M Information that is intended for use by employees when conducting company 
business 


Examples: 

IM Business information 

M Organization policies, standards, procedures 
BNN Internal organization announcements 


Public (Unclassified) 

Attributes: 

M Information that, due to its content and context, requires no special protection, or 

M Information that has been made available to the public distribution through 
authorized company channels 


Examples: 

M Online public information, Web site information 

M Internal correspondences, memoranda, and documentation that do not merit 
special controls 

M Public corporate announcements 


Information Classification 115 


Exhibit 7 Example 3 


İnformation Classification 
Introduction 
Information, wherever it is handled or stored (for example, in computers, file 
cabinets, desktops, fax machines, voice mail), needs to be protected from 
unauthorized access, modification, disclosure, and destruction. All information is 
not created equal. Consequently, segmentation or classification of information into 
categories is necessary to help identify a framework for evaluating the information's 
relative value of the information and the appropriate controls required to preserve 
its value to the company. 


Three basic classifications of information have been established by the corporation 
(see below). Business units may define additional subclassifications as necessary to 
complete their framework for evaluating and preserving information under their 
control. 


When information does require protection, the protection must be consistent. 
Often strict access controls are applied to data stored in the mainframe computers 
but not applied to office workstations. Whether in a mainframe, client/server, 
workstation, file cabinet, desk drawer, wastebasket, or in the mail, information 
should be subject to appropriate and consistent protection. 


The definitions and responsibilities described below represent the minimum level 
of detail necessary for all organizations across the company. Each organization may 
decide that additional detail is necessary to adequately implement information 
classification within its organization. 


Corporate Policy: 
All information must be classified by the owner into one of three classifications: 
Confidential, Internal Use, or Public. 

(From Company Policy on Information Management) 


Confidential 

Definition: 

Information that, if disclosed, could: 

M Violate the privacy of individuals, 

M Reduce the competitive advantage of the company, or 
İM Cause damage to the company. 


Examples: 

Some examples of Confidential information are: 

M Personnel records (including name, address, phone, salary, performance rating, 
social security number, date of birth, marital status, career path, number of 
dependents, etc.) 

M Customer information (including name, address, phone number, energy 
consumption, credit history, social security number, etc.) 


(continued) 


116 Information Security Policies, Procedures, and Standards 


Exhibit 7 Example 3 (continued) 


Shareholder information (including name, address, phone number, number of 
shares held, social security number, etc.) 

Vendor information (name, address, product pricing specific to the company, 
etc.) 

Health insurance records (including medical, prescription, and psychological 
records) 

Specific operating plans, marketing plans, or strategies 

Consolidated revenue, cost, profit, or other financial results that are not public 
record 

Descriptions of unique parts or materials, technology intent statements, or new 
technologies and research that are not public record 

Specific business strategies and directions 

Major changes in the company management structure 

Information that requires special skill or training to interpret and employ 
correctly, such as design or specification files 


If any of these items can be found freely and openly in public records, the company 
obligation to protect them from disclosure is waived. 


Internal Use 

Definition: 

Classify information as Internal Use when the information is intended for use by 
employees when conducting company business. 


Examples: 
Some examples of Internal Use information are: 


M Operational business information/reports 

M Non-company information that is subject to a nondisclosure agreement with 
another company 

M Company phone book 

IM Corporate policies, standards, and procedures 

İM Internal company announcements 

Public 

Definition: 


Classify information as Public if the information has been made available for public 
distribution through authorized company channels. Public information is not 
sensitive in context or content, and requires no special protection. 


Examples: 

The follovving are examples of Public information: 

M Corporate Annual Report 

M information specifically generated for public consumption such as public 
service bulletins, marketing brochures, and advertisements 


Information Classification 117 


Exhibit8 Example 4 


Information Management 


1. 


General 

A. Corporate information includes electronically generated, printed, 
filmed, typed, or stored. 

B. Information is a corporate asset and is the property of the Corporation. 

Information Retention 

A. Each organization shall retain information necessary to the conduct 
of business. 

B. Each organizational unit shall establish and administer a records 


management schedule in compliance with applicable laws and 
regulations, and professional standards and practices, and be 
compatible with Corporate goals and expectations. 


Information Protection 


A. 


Information must be protected according to its sensitivity, criticality, 
and value, regardless of the media on which it is stored, the manual 
or automated systems that process it, or the methods by which it is 
distributed. 

Employees are responsible for protecting corporate information from 

unauthorized access, modification, destruction, or disclosure,whether 

accidental or intentional. To facilitate the protection of corporate 
information, employee responsibilities have been established at three 
levels: Owner, Custodian, and User. 

1. Owner: Company management ofthe organizational unit where 
the information is created, or management o of the organizational 
unit that is the primary user of the information. Owners are 
responsible to: 


a. Identify the classification level of all corporate 
information within their organizational unit, 
b. Define appropriate safeguards to ensure the 


confidentiality, integrity, and availability of the 
information resource, 


C. Monitor safeguards to ensure they are properly 
implemented, 

d. Authorize access to those who have a business need for 
the information, and 

e. Remove access from those who no longer have a 
business need for the information. 

2: Custodian: Employees designated by the ovvner to be 
responsible for maintaining the safeguards established by the 
owner. 

3. User: Employees authorized by the owner to access information 


and use the safeguards established by the owner. 
Each Vice President shall appoint an Organization Information 
Protection Coordinator who will administer an information protection 
program that appropriately classifies and protects corporate 
information under the Vice President's control and makes employees 
aware of the importance of information and methods for its protection. 


(continued) 


118 Information Security Policies, Procedures, and Standards 


Exhibit 8 Example 4 (continued) 


4. Information Classification. To ensure the proper protection of corporate 
information, the owner shall use a formal review process to classify 
information into one of the following classifications: 

A. Public: Information that has been made available for public 
distribution through authorized company channels. (Refer to 
Communication Policy for more information.) 

B. Confidential: Information that, if disclosed, could violate the privacy 
of individuals, reduce competitive advantage of the the company, or 
could cause significant damage to the company. 

C. Internal Use: Information that is intended for use by all employees 
when conducting company business. Most information used in the 
company would be classified as internal use. 


7.9 Declassification or Reclassification of Information 


Classifled information normally declines in sensitivity vvith the passage of time. 
Dovvngrading should be as automatic as possible. If the information owner 
knovvs the date that the information should be reclassifted, then it might be 
labeled as: Cov/idential until (date). There should be an established review 
process for all information classified as confidential, and reclassified when it 
no longer meets the criteria established for such information. 

Part of an effective information classification program is to destroy docu- 
ments vvhen they are no longer required. Placing restrictions on copying 
classifled documents will ensure that the documents and data sets are con- 
trolled and logged regarding the number of copies created and to whom those 
copies were assigned. To assist in this process, it may be convenient to create 
an information handling matrix (see Exhibit 10). 


7.9.1 Protection Requirements 


Data must be protected according to its classification to reduce risks to a minimum 
acceptable level. Protection must be provided and planned according to the hovv 
the data is transmitted, stored, and processed. Protection mechanisms must be 
specified for the multiple functions. Exhibit 11 indicates the minimum data pro- 
tection mechanisms for each classification of data and activity related to the data. 


7.10 Information Classification Methodology 


The final element in an effective information classification process is to provide 
management and employees with a method with which to evaluate information 
and provide them vvith an indication of vvhere the information should be classifted. 
To accomplish this, it may be necessary to create an information classification 
vvorksheet (Exhibit 12). These vvorksheets can be used by the business units to 
determine vvhat classification of information they have vvithin their organization. 


119 


Information Classification 


(pənulluo2) 


'1Ə34euu o] 1S1lJ əv) əq o) Alılıqe 
Əu1 40 ƏHEü5 1Ə3ueui JO sso| ƏHƏAƏS 
p əsne2 p|noA sSsoj|/Ə!nso|3sidG `9 

"ə3eul 3i|qnd 
Əv) 40 uonendəl ino o) ə38euiep 
Ə4AƏAƏs Əəsne2 p|noA Əinso|3sidG `S 


“qel şeniəeayuoə io Aiole|n3əi 
əsneə p|noA Əinso|o5sIG `r 

`sue|d 

ssəulsnq |e31 do ÁAS3ə1e41)s uuiƏ) 
-Suo| e səqlii3səp 40 o] sə1e|əql `€ 


'suoneiədo o) əSpulep ƏHƏAƏS 
Əsneə p|noA ssoJj/əƏinso|3sid `Z 


*Ə8e)ueApe əAnnəduloə 
YupolluSİs e səpiAOid `L 


40)3Pululosip 
D4oA /əy Əl) sı ,PInOAA, 
pəşəlsəy //uSiH 


"ƏnIPA 32O]s ul doip Aseaodulə) 
e əsneə pinoə ssoy/əinsorosiq 9 
"Əxuəpiuoə 

4əp|ouəueus 10 səulo3snə Jo ssol 
e əsne2 pinoə ssoy/əinsofosiq “q 
“lun ssəulsnq 

p 40 Əull )9npoid c Jo joədse 
leroupul 40 |e3ruu2əƏ11ueluoduu| `r 


"Əlil GƏAO AuEduuo? Əv) JO uol)əuIip 


Jeuoneiədo əuq yo lied 1ue)ioduu! 
up SƏQMƏSƏp 40 0) SƏ)PlƏN `€ 


"enpiərpul ue io Aupduloə 
Əu) o) əSpulrep ə)eiəpoui 
Əsneə pinoə ssoj/əinso|3sid `Z 


"Ə3E)uPAPE 
əAnnəduuoə e səpiAO4id `L. 


40)Eululosip 
po /əy əq) sı ,pınoo, 
DƏ)ƏLSƏN 


"sələyul əAnnəduloə əmi “9 


“ifeusəyul ə|qe|ieAe Allesəuən) “q 

"səəzinos əliqnd 
UulO1J ƏlQEHİPAE o Áueduio2 Əv) 
ƏPp1S1nO UAAOU)) AİİE4ƏUƏ3 1oN `r 


“onpoud e Jo uonəədsul 
Aq əlqeunuəpi Áliseə 1oN `£ 


`'1o)i)əduuoo 

p o) In)əsn əq 1u8!N 'zZ 

*`ejep ƏUIES Əv) O) ssə522əe ƏAPU ]Ou 
op ouA ƏSOU) 4ƏAO ƏSENUPAPE 
ssəulsnq e əpiAo.d 1u8!W `L 


4oypuluosip 
D:OM /ƏY) əu? sI! AüSıyy, 
//uO əsr) feuləşul 


"Əinsorəsip əliqnd peəidsəpiA 
10) DƏSPƏTƏL AIETLHO e)ed `r 
"Suonənsəl 

leiəəds ou ul!A Əllqnd əv) o) 
Əlqel!eëAe s! eyep Jo əd/) suu! "€ 
'3i|qnd [|eiəuə3 əv) Jo 
siəquiəui pəlsəiəlui o) ƏlQEİİEAE 
əpeuiÁ|əƏunnoi sı pue ə8e)ueApe 
əAnnəduuoə 40 ssəulsnq 

e ƏplAOLd 1ou p|noA ]| `Z 
"Əansoposıp 

pəzuou)neun şo əsil ou s! Ələv) 
nq ən|%A ƏABU O) pəsəpisuo? `L 


40)3Pululosip 
Pp40A /Əy Əl) SI ,1ON PInOAA, 
oilqnd 


`SsuoneoiJisse|3 Areyəridold se o) pəzləyəi A/ƏAD?Əlo? əsE (pəşəlsəv 


AIUSIH pue “pəşəlsəx “ZiuO əsn Ieujəluj) səllo3əşeə ƏARİSUƏS 1)souui əəiu) Əu]| "Sul şəyəo4ds ulu) 3sixə səlio3ə]e2 uonponisseyə noq 
sərdurexq pue suonluuəq uonsənisse? `V 


XIEVV uonponisse? uoneuuaoJju|l 


6 1q1ux4 


Information Security Policies, Procedures, and Standards 


120 


s]oeluo23 Suiseə| !uoneuuoJui 
yüəuldoləAəp pue u>oieəsəi 
!siəquunu Ailnəəs |el9os əəÁo|duuə 
!uoneuuoJui diusuone|ə1 
AieIpəuuəlui/əuiolsnoə 

!s|eiuə]euu |e3ə| 

|euiəl)uisue|d sə|jes pue “Su!əyeuu 
“ssəulsnq !əinso|ə3sip 3!|qnd 

O) qoud uonevuuoJul |ei2ueu!j 
:sə|duuex3 pe)eq pəiməni)suf) 
siəqunu 

D4e2 1IpƏ13 “uouuioJu! ürey? 
qeorpəui əə/Aol[duuə “spioAxssed di 
1əsn :sə|duuiex3 e)]eq paəin)əon1çs 
"uöndəələd əliqnd iə)|e 

A/ƏHƏAƏS pInOA, 40 suolssnəsədə, 
qeroupul do “Zsoyeyn3əl 

“E3əl ƏAeu p|noA Əinsolosip 
ƏSOUA “e]ep Aseşətidoldd 01 
"EEp siu1 əsinbəp o) 3ülyəəs 

sı Apoqəulos poouiləyil 3uons 6 


"ƏDİBA 
y?o)s ul doip ƏHƏAƏS iO üllə3-3uO) 
p əsne2 p|noA sso|/ə!1nso|os!G `9 
“uəyed o) AliliqE Əv) 

40 4əuşsed ssəulsnq “əp|ouəieus 
“Əuuolsno 1uelioduui up Jo sso| 

p əsne2 p|noA ssoj/ə!nso|5si!G] `Z 


'`Suiped iəpisu! 

ysure3e pəpien3əjss əq 3snul 
)eu) uoneuuioju! pue X1Ədoiud 
IJen)oə|ə1u! səu)o pue “sə!3ə)e4)s 
hün ssəulsnq *aəqunu 

A)un?əs ferəOS səvlo)snə “suue|d 
sə|jes pue 3unəyeuu “'uoneuloJui 
1Əuuol]sn3 “suoneolunululoə 
Jeuoneiədo 1soW 

:sə|duiex3 p)]eq1 pəlməni)suf) 


sqı 4əsn “spio5əi əəÁo|duiə 
“supld Əəseu5ind :sə/duiexj 


*siəuuo]sno sJ 10 “səəÁo|duuə s]! 
Aueduio2o əu) s1)2eduui Á|əsiəƏApe 
Əəinso|35sIp 40 ssə22e )üƏ)lƏAPEUI 
U3IUAA 410) “Ssəulsnq JO əsino2 əv) 
ul pəl]ej1əuə83 x)ep Aseşətidolq `9 


`e)ep siu) əainbəc o) 3əəs pinoə 
Ápoqəuuos 1eu1 pooulləyil v `Z 


)euuioJj qi səs 

:sə|duiex3 rq uoncunsuuoo 
sipnueul 3uluren “*sjnopueu 
əə/oldulsə “səLoəəlip 
əuoudəyə) “ənəysAəu Aupdulo) 
:səqdurexa rq pəlməni)suf) 


“Ə)1S əuiou 
)əƏueulu! əƏ)eiodioo :sə/duiexg 


"EPAO/sdde juəuiə3eueui 1ədoid 
novlu Aueduuo2 əu] əpisino 
pəuieus əq o) şou “3u| şəyəosds 
UlUMAA Əsn 40) pəpuəlul `Z 


(pənunuoə) xI)JeW uonmbeoi1lisse|9 uonveuuoJul 


SuisniəApe )JuəuuÁo|duuə 

pue “s|oo) Suruueyd 

Ie!52ueul) “s|eiuƏ]euu Su!əxyeuu 
3i|qnd “səseə|əi ssəid :sə/duiexj 


6 1!qiux4 


121 


Information Classification 


(pənunuo2) 
"pəsoşuoul pue pəllonuoə Á|iseə )soul əq up? e]eq 
*Əuun Əuuos Əv) 1E e]ep pəin15nils ssəəəp 4ileərd4) üpə siəsn AueWw E 
'3)Ə “Sp4OAASSEd/SÇİ1 
1əsn “e]ep ferouPuL pəseə|əjuou “ue|d Sunəyieuu “uonpərdde 
“eyep Sununoooe OAA8 “sp4ooəs MH əə/oldülə puə-lJuouJ əv) usnolu) uru) səq)o pou)əui Áue RİA “pəğulid io 
“səuo)əəsip Əuoudə|ə) əpnioul Aeti səqdurexa “suuəlsÁs səu)o o) pəpeoyuAnop əq şouuvə //leoid/) jep pə.n)onns HE 
"SIOnuo? A)lunəəs "Urpq3oid puə 
seu yeu) uonporldde puəzuou) e qanolu) suosiəd -luO1J eÉ UMA pƏHpoli SI pue UƏƏLOS e uo pəNƏIA /ilensn s! o)eq Hİ 
pəzuioulne Jo dno138 ||euus É ueu) 4Əu)o əuoÁue `pƏ1ols SI 


Aq əlqeluiid 1o/pue ə|qejipouu şou si ]eU] Uu0OlJe90[ yep pəin)nauis ələqə 123Jəs )öu op siəsn puə pue “uo!)oi|dde 
lenuəə e u! pə03s pue pəl|oj)uoo /ileəruon?ələ pa puə-Juoiuj u8noiuu) Áluo pəssəəəp əq Á||etuujou up23 uuəli p)ep qoeq Ë 


eq o 

:3)]Ə “ƏpOƏ? ƏLHPAOS “'səseqe)ep zg “SULAOİİOL Əv) Əpnioul e]ep pə!n)ni3s yo səhnsiləyəbapuə ƏulOŞ "EÜUMƏUƏS (OH PÜL OVU) 

“suol3əz ƏuueuJuieuu “Səseqeyep TOS u! pəiols 5 pəulyəp e seu 1eu) əseqelep ƏuO ululiA pƏlJipOui pue pƏio]s SI 350) e)eq pəin)ni1Ss 
sə|duuex3 uoiuJəq ədÁl 


`uoneuuioJu! əv) Su!)231oid u! əApu ÁƏu] ə|oi əv) pue suonpolldul (qiinoəəs əu) pue]siəpun pue Au) siəsn puə uoneuuoJui 150) İENHA 

SL 31 “e]Jep əv) 3umlulsucu) 1o Suiiols Á|uədoiduui Aq Airinəəs əsiuioiduioo ue2 1əsn puə Əv) u3!uA UNA ƏSPƏ Əv) 10 əsne2əg :əs|ə əuoəulos 
O) 1uəƏulu2e]e /IEUİ-Ə ue BİA 31: lliuSUue1] 4O “Od luƏI!|2 !!Əu] 0) 1! ƏAOUI siəsn puə SE uoos se pəin)onui]sun səuloəəq uoneuloyul pəin]oni]s 
“Ə|duiexə 404 “əfə/ə əyil si Surinp ə8ueu>3 up? əd/) uoneuuoJui ]eu] pue)siəpun o) Jue)uoduli s!1l `s3l]siuƏ]2e4eu2 Əsəu] ulIA Ə]el2Ossp o] pəsn 
Əi1e )]eu] uoneuuojJui! Jo səd4) Əəuu) əb Ə1Əul `uoneuuojui Əu] o] ssə22e s|o.l])uo2 ouA pue “pə)liuusue1) pue pəƏio)s s! uoneuuijoju! Əv) AOu 
pue Ə1ƏuA, AOu)] O) 1luelioduali SI! 1]! “'uOl)e31JISSe|32 Əv) uodn pəseq uoneguuoJui! punoie ə2e|d o) sionuoə ssə22e 3səq əv) ƏuluuiƏ)əp dj|əu ol 
sə|duiexg pue sədÁI uoneuuolul `g 


s8o| Alunəəş s]sr] 10102) ssəo25v 
:sə|duiex3 pe)eq uoneinƏijuop :sə|duiex3 p)]eq] uo!)einƏiJuoD 


Information Security Policies, Procedures, and Standards 


122 


'`uoneuuoJul! 
Əu) yo Sui|pueu 

Aep-o3-Zep Əv) u1MA 

leəp AiuEssəəəu şou op Aəu) 
nq “pəuleşuleul “pələu)e3 
“pəypəzə sı uoneuuioJu! əv) 
Surnsuə o) ə|qe)unoo5e 
əse AəuT "uonnqınsıp 
Sununoəəp ue uAOo 

OMUA, SAƏSPUEUL UOISIAID 

40 “sqə3EuPuld )ənpold 
“sppəu 3uəun.edəp /ileərd43 
ƏHE SIƏUAAO UORPULOVUİ 


səldurexq 


"SISLI uoneulioJui! SSƏSSV İİİ 
'sjuəuiəuiinbəi AllqE Ae uoneuuioju! ƏuluuuƏ]əq Hİ 
"S3ƏSSE uUOHEUL OXU 4ləv) )SulE3E 


SUORETOLA Ailinəəs Sülüləəuo2 pəAlə?ƏLd 


suonponunou uo ]9V 


uonpuuoyul JO Əinso|3SIp əv) JO |eAo.ddvy 


ueipolsno 


uonñeuuoJu| əv) o) u8isse io səhnp AHƏAOƏƏL pue dnyoeg 


1ƏUAQO 4ƏSbuPULM 1O ƏAHnəəxə 


"pəyuəuləlduui 


Əu) se şun ssəulsnq əuuss əu) u! ə]e8ə|əp e uğisse io sJiun pul peunəp 


ssəulsnq 1Əu]o ulioiuJ sisənbəl ssə22e do) Alliou)ne JeAoiddy 


Əie S)ƏSSE uoneuuioJu! 
Əu) 40) sluəuuəuinnbəiu 


:šgujiwo||oJ Əu] “pəsisəp Ji “ə1e3ə|əp 40 uuloJjiə 
A d: IIO) 91 PƏ1! ə 155501 2 g d Hi uonəəşosd əşeuidoidde 
hünəəş əle1odioO o) səuə3eəiq Ainnəəs pəşəədsns şiodəy HE əu) eu) Surinsuə io) 
`uAXO ÁƏu)] s1)Əsse uonguuioJu! Əv) 40) sluəuiəuinbəu əl|qisuodsə: Á|əl1euunin si 
dnəoeq pue “eləyə ssə52e “sjuətuuə4,Inbəi Aylunoəs əutuuƏ]J9q ËB juxwo əssə uoneuuoJu! 
"UAAO ÁƏUu)] S)əSSE uoleulioJu! UNA Əul `uoneuuoJui eu 
pəyeroosse s1u8li ssə322ə əv) Jo A3uəuin3 əinsuə pue AƏIAƏ3 lB JO sso|/Əinso|3sID UuiOJJ 
"UOHEO HİSSE yodu əAnE3əu )3sə)pə/3 
Əu) ql Ə)einsuəuluuo2 “əoeld u! əze sionyuoə Aytinəəs əinsuq BB sup Suroey eƏie ssəulsnq 
"Sspəəu ssəulsnq əl) s)əəul ilns il əinsuə o) uonpolsse? əv) Əul UluHA, uonisod 
AMƏHAƏL Á||e2IDO!1Əd pue uone3ijisse|92 uoneuuioJui feniui uSissv HE )uəuiə8euevul £ sI uuƏ1! 
:šujiwo||oj Əv) “0) pəşluly jep 31ji23ds ° 40) iguAO 
you əue anq “əpniəul səniliqisuodsəi iƏuAo uoneuiioJu! Ə9Uu L )əsse uoneuuJoJu! Əu L 


səniliqisuodsəy 


uontuyəq 


(GƏ AAO 
ssəəoud 
/ssəulsnq) 
1ƏuAO 3ƏSSE 
uonepuuolul 


əlox 


`uone3iJisse|9 uodn pəseq uoneunoyul Sünəəşold pue Suunoəs Á|ə)eidoidde so) 
pouşəul əAn?əyə up sI sərdiəulid şüəuləSpupul pəseq-ə|oi Sulsn) “ssəəəp əAbu ÁƏUu] U3IUA O) pue ssə32oid /əq) eu) uorypunoyul əv) JO Ailinəəs 

əu) 3ulinsuə oy səniliqisuodsəl ƏAeu OSİE siəsn pu3 :'sə|o1i uoln3əloid uoneuuoJui seu uteə) Juəuido|əAəp 13ƏÍoid əv) Jo səquləui u3eq 
sə|oz1 uon3ə]oiad uonveuuoJul 2 


(pənunuo2) XIJEW uonbol1lisse|Ə uonmeuudoju[ 6 3iq1UX4 


123 


Information Classification 


(pənunuo2) 


suuə)sÁs pəziiou)ne 

uo Ájuo pəl)dÁui3uə pəiols əq 
)snui uoneuujoJu! pəin)oniisun 
doşdel io uone1s31oA 

E uo ]Ou “I9A19S NHOAA)ƏU 
pə.nəəs e uo pə1dÁui3uə pəio1s 
Əq 1snui uoneuuioJu! pəin)o2n4S 
1Ə8eueW ulpi8oid 

Aünəəs SAA8 Áq pəAoidde 
s|oj)uo2 SSƏ??P |i)un şəubnul “Sul 
yəyəosds əv) uo pəəpld əq )ouurn? 
pənlulsue.) 

40 pəio]s AIifeoruon?əyə 

uəuA pəşd4səuə əq 3sn/Vvy 
uoneuuoyul pəsmən-nsun yo 
səldoə əluomn?əfə o pieu ssəssod 
OUA SfEnplelpul Su!ÁJ)uəpi 

adə) əq 1snui s1diə3ə1 Jo 3sil V 
,PƏ13111sƏ%l 

AİuSIH, pələqel əq 3snyy 


pəşəuisəy //USİH 


sulə)s4s 

pəzuuoune uo Á|uo pəio)s əq 
)snui uoneuuioJui pəin)9nisun 
dol)do| 10 uo!1s34oAA 

p uo ]ou “IƏA19sS N4OAA)ƏU 
pəllonuoə e uo pəio)s əq 1snui 
uolguuoJu!3l1uo4)2əƏ|ə pəin)59n4s 
)Əuuiəl)ul Əv) 1ƏAO 

pənruisuen Ji pəidAsəuə əq 1snW 
yəub.nul əu) 

uo J! pəş?əşold pioAsssed Əq 1snW 
,bə)ənusəy,, pə|əqe| əq 1snW 


pəşəu)səy 


ssəə?E pəziuou)neun 

)uəAƏid o) uoneonuəu)ne səs) 
yəuləşul Əv) 4ƏAO 

pənrusuen Hn pədAsəuə əq 3snyy 
"Sul 1Ə33oids Jo əpisino 
pəinqınsıp J! ,Aanəndold, 

se sjuəuin2op |əqe| 1snW 

"Sul 1Ə35oidçs əpisu! 

Áluo pəl)nqiulsip J! juəuinoop 
Əu) yo ə!in)eu ,AI/UO əsn 
leusəşul, Əv) fəqe) o) ƏAeu Jou oq 
pəəu ssəuısnq uo pəseq 
uonepuloyul o) SsƏ22e |oi]Juoo 
1snul siƏuAO 3ƏSSE uoneuuoJu| 


/uO əsr) yfeudəşul 


səuo2 3314 IV 
səmşq 
ssəəəv (bləuərn) 


səuoz YSIN 
pup ssəəəy JO ədÁ]l 


`SƏuoz 


Sl pə1əpisuo2o əƏuie pənluusue1) pue pəssə22e si uon)əuuojJu! ƏHƏUAA SuO!]e20| SulAIPA Əu "pəSSƏ??E SI UOREUÜLOŞÜ Əv) AOU /İfEƏLNlDƏdS pue 
pəssəəoıd io “pəllltuusue1) “DƏ1O]S si uoneuuioJu! Əu) Ə4ƏuA O) SuIpio22e pə1)231o.d əq 3snul uoneuiojJui yo səd4) pue suonpoijisse|51uəiəJjjiq 


XI4]eW Səlinpə3oid SuilpueH uoncuuolul 


01 1q14x4 


Information Security Policies, Procedures, and Standards 


124 


)uəuuəəi8e əinso|3sipuou 

p u3is o) ƏAnepyuəsəldə, 

1Əu11ed şəup.xə vəsə əsinbəşy 
Aunəəs ə)eiodioo Aq pəAoidde 
pou)əuı e 3ulsn uondAlouq 
“pəsəsəx AIUSİH, 

e)ep uo |əqp| 4o əonou əopid 
(101)u02 ssə525e pəseq-uəyo] 
“3"ə) uoneonuəu)ne Suo4s 
)uəuiəəi8e əinso|3sipuou 

p u3is o) ƏAI)e]uəsəidəu 

A1Əu1lled 1)Əue11)xəƏ vəsə əsinbəş 
Ayunəəs ə)eiodioo Aq pəAoidde 
pouləui e Sursn uond44əuq 


,pəşənsəy A/USIİM, se sluəuunoop 
10 SUuƏƏ.1)DS uo uoO!)euuoJui |əqe] 
Ayunəəs ə)eiodioo Aq pəAoidde 

pouşəuı e Suisn pə1d/uo5°uq 
|O4)uo2 ssə5232e pA404AASSEd 


,pƏ12111səq] AIUSİM, se stuəuinoop 
10 SUuƏƏ.)DS uo uoO!)euuoOJu! fəqET 
Aunəəs ə)eiodioo Aq pəAoidde 

pouləui e Suisn pə)d44ouq 
]O4)uo2 ssə522e p404AASSEd 


)juəuuəəi38e əinso|3sipuou 

p u8is o) ƏAI1]01]uəsəidəu 

1Əulied 1)Əue11xƏ vəsə əsinbəy 
Aunəəs ə)eiodioo Aq pəAoidde 
pouləui e Suisn uondÁiou3 


(101u02 ssə525e pəseq-uəyo] 
“8:Ə) uoneonuəune Suo41s 
)uəuiəəi8e əinso|3sipuou 

p u3is o) ƏAl)°]uəsəiudəiu 

1Əulied 1)Əue11xə vəsə əsinbəşy 
Aunəəs ə)eiodioo Aq pəAoidde 
pounəuı e 3ulsn uond44ouq 


Aunəəs ə)eiodioo Aq pəAoidde 
pou)əuı e 3ulsn pə)d442uq 
(O4)u 2 SSƏƏƏE p40A4SSEd 


Aunəəs ə)eiodioo Aq pəAoidde 
pouləui e 3ulsn pə)d442uq 
(O4)u02 SSƏ??E P40A44SSEd 


Ayunəəs ə)eiodiooS 4q pəAoidde 
pouləui e 3ulsn uond449u4 
1ƏSANMOIQ qƏAA BA pə)d442u4 


)uəuuəəi8e əinso|jəsipuou 

p u3is o) ƏAl)p]uəsəiudəu 

1Əəulied 1)əƏue411xə u2eə əsainbəy 
Ayuinəəs ə)eiodioo Aq pəAoidde 
pouləui e 3uisn pə)d44ouq 
1ƏsAO1q qƏAA PA pə)d442u4 


Aninəəs ə)eiodiooS Aq pəAoidde 
poul)əui e 3ulsn pə)d44ouq 
1ƏsAO1qQ qƏAA PA pə)d4452u4 


1ƏSAMOIQ QƏM BİA pə)d449u4 


dNA TİNA 434 
“nd :səuoz SI: 
s]əue4)xd )SIM USIH 
UHO/ 40 0) SS993V 
pəseg-iə)nduio5 


ONA 

“Od “səuoZ YIN 
s)əub/)x4 əanəəş 
UHO4) 40 0) SSƏƏƏV 
pəseg-iə)nduio5 
1NO TIN? 

“ON? :səuoz sta 
SU19]SÁS/SMMOA]ƏN 
ə)]eiodioo 

sr UĞIH 

U101J 10 0] SSƏƏƏV 
pəseg-iƏ)nduio5 
gdN2 

dNO “səuoz sq 
SU19]SÁS/SMMOA]JƏN 
əyp4oduo2 əsnəəs 
Uu104J 40 0] SSƏ?ƏV 
pəseg-iə)nduio5 


(pənunuoə) xıneyy sə4npə35ouad SuijpueH uonveuuoJul 


01 1iqtux4 


125 


(pənunuo2) 


)uəuuəəi8e əinsoyosipuou 

p u3is o) ƏAl)p]uəsəidəu 

4əuşued şəuexə vəsə əsinbəşy 
)3enuoo Jo 

SULƏ) O] SuIpio22e ssə22e J1OpuəA 
(Io13uo2o SSƏ??E pəseq-uəyo) 
“3"ə) uoneonuəu)ne 3uons 
Aunəəs ə)eiodioo Aq pəAoidde 
poul)əui e uliA pə)dAəuə 

Əq 1snui 1ƏA1Əs qƏAA 19uiəlu|l uo 
pə:o)s Ájiqejoduiə] uonpuloyu) 
JIPAAƏ11J Ə)e1odiuo3 e puluəq HƏAHƏS 
qƏAA Əu) uuouj Ahuəpuədəpul 
pəio)s əq 1snui ep 

“ƏAƏS qƏAA 1Ə9uiəlu| uo pəio]s 
ÁAliuəueuuiəd əq 1ouue3 eq 
Juəuiəəi38e əinsoyosipuou 

p u3is o) ƏAI)pe]uəsəidəu 

A1Əu1lled 1)Əue11)xə vəsə əsinbəşy 
(10102 ssə53e pəseq-uəyo1 
#8:Ə) uonponuəuine 3uons 
Alnəəs 

ə)ejodiooO 4q pəAo.idde pouləui! 
e 3ulsn uondAləuə əApu 3snul 
)Əuiəlu| HƏAO )uəs uoneuuJoJu| 
abəsəlsəy 4lusiH, 

e)ep uo |əqe| 40 əənou əə 
(10402 ssə5352e pəseq-uəyo) 
“3"ə) uoneonuəu)ne Suo4s 


Information Classification 


)juəuuəəi38e əinso|3sipuou 

p u8is o) ƏAl)e]uəsəiudəiu 

AƏəulied 1)əƏueu)xə u2eə əsinbəy 
yobnuoə Jo 

SULƏ) o] SuIpio22e ssə22e 1OpuəA 
SSƏƏ2E 1OJ D1OANSSEd 


)uəuiəəi8e əinso|53sipuou 

p u3is o) əAneuəsəldə, 

4əuyued şəue-xə vəsə əsinbəşy 
(101u02 ssə?əE pəseq-uəşyo) 
“3"ə) uoneonuəu)ne 3uons 
AMnunəəş 

ə)eiodioO Aq pəAoidde poul)əu! 
e 3ulsn uondAləuə əApu 3snul 
)əƏuuəlu| 1ƏAO )UƏS uol)euuioJu| 


(1011U09 SSƏ??E pəseq-uəyo1 
“3"ə) uoneonuəu)ne 3uons 


)uəuuiəəi38e əinso|jəsipuou 

p u3is o) ƏAl)p]uəsəiudəu 

1Əu11ed 1)Əue4)xə qəpə əainbəşy 
)oelluoo Jo 

Sul1Ə] o] SuIDiO22e SSƏƏƏE IOpuƏA 
SSƏƏ2E 1OJ D1OANSSEd 


)uəuuəəi8e əinso|jəsipuou 

p u8is o) ƏAl)ə1]uəsəidəu 

1Əəulied 1)Əue11xə u2eə əsainbəy 
SSƏƏƏE 1OJ P40AASSEQ 

Alunəəş 

ə)jeiodioo Aq pəAoidde pouşəul 
e 3ulsn uondAləuə əApu 3snul 
)Əuiəlu| HƏAO 1uəs uoneuuioJu| 


)uəuuəəi38e əinsoyosipuou 
p u8is o) ƏA01)p1uəsəidəu 
4əuşaed 1Əuei)xə qəsə əsinbəy 


DNA 

“NQ :səuoz sI 
(siə]ntuutuo35ə|əL 

| “siopuəA) 
SYHOAQƏN dn 
-IeIG utoxyj ssə23V 
pəseg-iə)nduio5 


nNA 414 
“ld :SƏuoz SİN 


yəulə)ul əu) 
UHOA) 40 0) SSƏƏƏV 
m pəseg-iƏ)nduio5 


Information Security Policies, Procedures, and Standards 


126 


SUHƏ3SAS uoneu)stuluupe/ə2!1JJoyx35eg yA4oAqəu əl)eiodioo 1NƏ 
suuəl]sÁs qey/Sunsər YHOAMƏU əlel1odioo INƏ 
suuə]sÁs uonənpold YHOAMƏU əleliodioo d4NƏ 

s|[eAAƏ11J 3i|qnd əv) puiuəq siəsn NVAA İV y4oAqəu əlel1odioo nN? 
zwqaÓiqna Y4AOAMƏU əl)eiodioo GNƏ 
Sulssəooud ssəulsnq s)ioddns 4ileəld4) “Anunəəs pəyndə? YHOAMƏU 1IOpuəA ONA 
Sulssəoold ssəulsnq s3ioddns 4ileoid/ “4pənyndəəun nq pə1331oid YHOAMƏU 1IOpuəA dNA 
Sulssəəold ssəulsnq s)aoddns 4ilpəld/) !|ƏAə9| Aylinəəs uwouyun YHOAA)ƏU 1IOpuəA nNA 

ssə5oid 
pue uuiə)sÁs uoleoi|dde ssəulsnq əu] Jo ed Á||e3!dÁ “AMunəəs pə!Jiniə9o yəup.nxə 1Əulieq Ə4d 

ssə5oid pue 
uuƏ)sÁs uoneoidde ssəulsnq əu] JO Med Aileoid/) !pəlJiiə3un )nq pə1331]oid )Əue4i)xƏ 1Əu1lled d3d 

ssə5oid 
pue uiəƏ)sÁs uoneoi|dde ssəulsnq əv) Jo led /ifeold2) əAəl A)linəəs uwouyuñn )Əueuil)xə səuşleq nad 
pəşd44ouq yəuləlul 3!|qnd 114 
əanəəsuf) )əuuəlu| 3!|qnd nid 
əinəəsun y4oAgəu dn-reiq Na 

uonlunəq əuoz SIN "qqy 
:SUODlUNƏp əuoz SİN 
spseo 
dlnəəs pue pue şüəuləSpupul 
uo] feAoidde — əə/oldulə SAA8 IB 
pənrusəd şou pəmiuuəd jou pəliuuəd you 
— səəÁol|duiə SAA8-uou ijəulO IB — səə/oldulsə SAA8-uou səqO B — səə/oldulə SAA8-uou iəu)O Ë 

(pənunuoə) xıneyy səinpə35ouad SulpueH uoñneunuojJu[ 01: Jiqiux3 


127 


Information Classification 


(pənunuo2) 


,Ppələusəq 
AUSIH, se əlqeljnuəpi 
əq 1snui uonpunoyul ə1uon?əlq 


,pəninsəy 

AI/USIH, pəy-eul ə3ed A4ƏAq 

Əyeridosdde ins si Supyreui 

əansuə o) AƏUAQ üORPULoOVü) 

Aq Állenuue pƏAAƏLAƏN 

1ƏUAMO 

uoneuşoyul o) 1diə3Əi-uin1əi 

pue u3is )snul A4doə Jo şuəldiəəy 

suonəlnsəl 3une)s sJuəuinoop 

Adoə-p.seu uo ,puə3əT, əpn|əul 

səqulnu əuoud pue 4uəunledəp 

“ƏulEu SAƏUAO UOHPULOŞUL Əv) 

səpnioul 3eu) əSed 1ƏAOƏ? e ƏABU 

)snui sjuəuinəop 4doə-pieü ||V 

1ƏUAMO uol)euuiOJu! 

UMA pəxeuu əq ]snui suəuinoop 

qeul pue 1JjJeip Ado5o-pieH 

( Jo 

7 Adoə) pəiəquinu Ádoo ÁiƏA3 

( JO 

— ə8ed) pəiəquinu əSed ÁiƏA3 

,pəninsəy 

A/USIH, pəy-eul ə3ed AlƏAq 
pəşəlsəy /luSiH 


ə)nqulsip ,“Aaeənidolq,, se ə|qeijnuəpi 
O) I/PAO/dde )uəuləSeueyv Hi  sqlisnuiíiuoneuuojJui3j:iuo4)2Ə|4i Hİ 
Əəsudaəyüuə 
pəpuə)xə ulu 
“bənəksəM,, pəyseul əSed AsəAq B ,Aieənidolq,, pəyseul əSed A4ƏA4 Ë Suueus 10) SuDuEVV 


1ƏUAAO UOHEULOŞUİN 
UMA  pəx*euui Əq lsnui sluəuinoop 
qeunu pue 3yeip Ado5-pieH İİ 
( Jo ə8ed) iəqunu 
əSed uA, pəx%euu ə3ed AsəAq Hİ 
səniyəey əypaodaoə 
“bəsənnsəq,, pəydeul əSed AəA4 ËB UOH?L3SƏİ ON UululAƏsn 10) 3UDİEVV 
pəşək)səy /IUO əsn Ieuiə)u]| uonounj 


StuuSiueU299W u01)9]0o4d p)eq urmnuuuly LI )iqiux3 


Information Security Policies, Procedures, and Standards 


128 


)Əueuui “ul 3əyəolids 

-uou £ uo pəəeid əq Jouueo 
pəşəə)osd-paoAAssed 

Əq 1snuu uonpunoyul əruon?əlq 
YƏUAAO 

uoneunoyul o) 1diə3231-uin1əi 
pue u8is 3snul Ádo2 Jo 3uəldiəəy 


( JO 
— Ádoo) pəiəqunu Adoə A4əAq 
( Jo ə8ed) səqulnu 


əSed uA  pəx%euu ə3ed A4əAq 

spiepue)s ə)eiodio5 

o) Suipio322e pə1dÁi5uə 

Əq 1snuu uoljgeuuoJui 31IuO1)32Ə|4 

Adoə 

pa4eu e SSƏSSOd ouA 10 SSƏ22E 

ƏAPRU OU/A ƏSOU) JO ]SI| £ ulp)u!euu 

)snuu iƏuAO üOnDPEULO)Uİ 

pənqiqoud 

,dno,3, o) uonnqınsıp 

!uosiəd pəuueu o) uonnqınsiq 

(Və)ə “uoneziueSio 

“dno,3, Aq Aluo əsn 40) “ə”i) 

suonəlnsəi 3une3s sjuəuinoop 

Adoə-pueu uo ,puə3əT, əpnioul 

əqıinsip 

O) |eAoidde 1uəuiəSeueW 
pəəlisəy ÁAJuSIH 


(77 )o7” ə8ed) səqulnu 
əSed uA pəşeul əSed AHƏA4 Hİ 
spiepue]s 


Ə)eiodio23 o) Suipioo22e pə1dÁuouə 
əq 3snul uoneuiioJu! 32!uo42ə3ə|4 
pə)5əƏ1oid-pioAsssed 
əq 3snul uoneuloyul 3!uo42ə3|4 
pənqiuqoud 
,dno,3, o) uonnqınsıp 
!uosiəd pəuleu o) uonnqınsıq Hİ 
(,;3)Ə “uoneziueSio 
“dnoi8, Aq Aluo əsn 4o) “ə:D) 
suono!4)səi 3une)s sJuəuinoop 


Ádoo-paueu uo ,puə83ə7, əpnjpu! Hi 


pƏ]3!41səs 


,bəyəlnsəy, se ə|qenunuəpi 

Əəq 3snul uoneuuJoJu! 32!uo1)2Ə|4 HE 
ə)nqiuilsip 

O) |eAo.dde )uəuləSeueyy lB 


/uO əsn Ieuiəlul uolnməsunz 


(pənunuoə) suisiueu399W uonoə]oad e]eq uinutuiw LIL 31q1ux4 


129 


Information Classification 


(pənunuo2) 


sə?eld ə|qissə322e Á|3!|qnd 

1Əu)O 10 “suuoO1 |ə]ou “səulou 
ul “sə|iqoujo)]ne ul pəpuəneun 
HƏ Əq 1ou 1snui uonesuuoJu| 
səuun ||e Je ə)e83ə|əp pəşurodde 
-'S3u| 1Ə32O1dS p Jo |oluoo5 

Əu) səpun əq 1snui uoneuuJoJu| 
pəpuəneun uəuA pəyəo1 
suosiəd pəziioul)ne 

Aq Áluo ə|qissə522e Həp səp 
pəşyəol 4o 3əuiqe3 Sulu pəinəəs 
“Ə531JJO pəyəol e ul pəiolsəq1snui 
eIpəui 3!uo41)33|ə9 pue Ádoo-pieH 
Od 

Əu) yo əsn pəzuoul)neun luəAəid 
O) pəsn ƏHe sio/)u09 ssəlun SƏALp 
p4eu (qu?) Əd 4əsn-puə uo 
pə40)S əq şou 1snui uoneuuoJu| 
ƏALIp 40 Əlli pə)dAsəuə 

pue “D40AASSEĞ Ul1/A 1ƏABS 
uəəzəs £ Sulsn 4q /ilpəruonəələ 
pə403S uəƏuA pə1531Ooid 

Audeiqi| eIpəuu 

pə.nəəs ul əio)s “ə|qissod 1ou si 
SIU) JI “Əsn u! ]ou uƏuA suosiəd 
pəzuouıne 4q 4luo ə|qissə532e 
yəulqeə 40 səp u! 3301 


pə152ə1oid-pioAssed əq 3snul 
A/leoruo/n?ələ pəiols uoneuuJoJu| 
sə5e|d ə|qissə32e Á|3!|qnd 

1JƏu]O 40 “SuuOO1 |ə]ou “SəulOuq 
ul “*səliqouiol)ne u! pəpuəneun 
1JƏ| əq 1ou 1snui uoneuloJu| 
səuu II£ Je əje3ə|jəp pəşurodde 
-'3u| 3əyəolds p Jo (/onuoə 

Əu) səpun əq 1snui uoneuuJoJul 
suosiəd pəziiou)ne 

Aq Áluo ə|qissə522e Həp səp 
pəyəo) so 4əulqeə Suli pəinəəs 
“!Ə21JJO pəyəol ë u! pəjol]s əq 3snul 
eIpəui 31uo4)23|ə9 pue Adoə-pieH 
Od 

Əv) JO əsn pəzuouneun şüəAəld 
O) pəsn Ə, sionuoə ssəlun səALip 
p4eu (ul?) Əd 4əsn-puə uo 
pəio)s əq şou 3snul uonpuloyul 
ƏALIp 40 Əli pə)dAsəuə 

pue “D40AASSEĞ Ul1/A 1ƏABS 
uəəzəs >e Sulsn 4q /ileəruonəələ 
pə.03S UƏUAA pə15ə1oid 

Aspaqıl eIpəuu 

pəsnəəs ul Əio)s “ə|qissod şou si 
SIU) JI “Əsn u! )ou uƏuA suosiəd 
pəzuouıne 4q Áluo ə|qissə532e 
yəulqeə 40 3sƏp u! 3301 


SIOnuo? 

pəAosdde-"əul 3əyəolds pue əie5 
Ə|qeuoseə1i əsn 3snul əşeSəyəp 
pəşsurodde-əul şəyəosds 


AVOU 1-O)-pəəu ssəulsnq ë 


UMA, SUOS/Əd 4q Áluo əlqissəəəy: Hİ 


Aspaqıl eIpəuu 
pə.nəəs ul əio1s “ə|qissod şou si 
SIU) J! “Əsn u! ]ou uəuA suosiəd 

pəzuoune 4q Á|uo əlqissəəəp 


yəulqeə 40 əsəp u! 207 İİ 


(səniiəey “səsnpəəosd 
“erpəui) səsiuijəid 
ə)eiodiuoo Ho ə3e4o)$ 


(səniəe) 
“səanpəəoud “elpəui) 
səniəey əyeaodaoə 
UlU3AA Ə3E40)$ 


Information Security Policies, Procedures, and Standards 


130 


1ƏuAO 

uonmeguuioJul o) 1diə32Ə1-uin1əi 

pue u8is 3snul Ádo2 Jo şuəldiəəy 

suononu)su! AsəAləp əpn|3ul 

uoneə?ol o “ənn “Ə2!JJO 

ue o) 3snİ şou 4enpiAlpul pəuieu 

E O) 1üəs əq 3Snul uonPuLo)uİ 

sÁep SunjioA ƏAL 

UuIU1A 1uəƏl!di2əƏ1 uuoiuj əƏ8eyoed 

JO 1diə3Ə1 uujuo2 1snuui səpuəs 

"ƏdÖləAUƏ ioliəlu! Əv) 

uo əq 3snul |əqe| əu) !“l!euu “Sn 

əu) u38noiuu) 1uəs s|əqe| ə3epyəoed 

1Ol1Ə]xXƏ uo ,IEnuəpuuo), 

yeu ]ou oq :9]ON 

Suijijieui ənbedo 

ƏuluI!uUJAí ,|JeluəpiJuoO,, pələqel 

ədo|əAuə ul uoneuiioJu! Ə2e|d 

J!eui pə1ə1s!3ə1] 

abəsənsəx luSiH, 

pəseui iəƏuie)uo5/ədo|əAuə 

ənbedo pə|eəs 

ƏALIP 

40 əlli pəşdAsəuə pue pioAsssed 

UMAN AƏABS UƏƏNƏS — Á||e21uo4]2ə|ə 

pƏ41o)s uƏuA pəş?əşold 
pəşəlisəy ÁAJuSIH 


AƏuAO UOHEULOŞUİN 

Aq pəzioulne əq 3snyy 

pəəu ssəulsnq əq 3snyy 
ƏdOfƏAUƏ ioO!1Ə1)u! Əu) 

uo əq 3Snul |əqe| Əv) !lieuu “S 
əu) u8noiuu) 3uəs s|əqe| ə3eyəed 
YoHəixə uo ,fenuəpuuo), 

yap Jou oq :Ə2ON 

Sureuu ənbedo 
ƏulululJA,|elluəpijuoO,, pələqei 
ƏdofəAUƏ Ul uoneuuoJui! əXEld 
suonən.nsul AləAlləp əpn|3ul 
,bəsəinsəy, 

pəşy-euı səure)u oə/ƏdÖyəAUƏ 
ənbedo pəleəş 


əlqıssod 

Aileoruu?ə) J! pəşdAsəuə əq 3snul 

Álle91uo4)oə|ə pəso)s uoneuuioJu| 
pəşək)səy 


sənə) 
Əyp4Od/02 UIUNHAA 
sulddius/Sulleyv 


s3upyreul |ei9əds ou 
Hi Ulu. əulb)uoə/ədoləAuə Sunnoy Hi 


/uO əsr) feuvəşul uonəun. 


(pənunuoə) suısiupu?əyy uonoə]oad e]edq urnuuly LIL 31q1ux4 


131 


Information Classification 


(pənunuo2) 


1ƏUAAO UOHPEULOŞUN 
Aq pəzuuounne əq 3snyy 
pəure)qo sı uonpuuolul 

əu) Áq pəqii3səp 4yred əv) Jo 
yuəsuo2 əv) ssəlun uonpuloyul 
4əulo)snə puəs ?ou 1]snW 

pəəu ssəulsnq əq 3snyy 

səl]e]s pəli'un əu) əpisino puəs 
O) A)uno2əçs əl)eiodioo 355)uo02) 
suone|n3əiu 

)Modxə doy juəunuedədq [e3ə1 
UMA, 33ƏuD2 “sə1]e]s pəllun Əv) 
əpis)no 1Juəs suiei8oid 1ə)nduio5 
40 “ƏHPANOS “E)Ep |e321uu2Ə]) 104 
sÁep SunjioA ƏAL 

UuIU)A 1uə!di2ə1 uuioiuJ ə3eyəed 
JO 1diƏ2Ə1 uutjuo3 )snuui səpuəs 
ədo|əAuə solLə)ul əv) 

uo əq 3snul |əqg| əu) !“l!eui ST) 
əu) u8nouu) 3uəs s|əqe| ə3eyəed 
1O11Ə]xXƏ uo ,/Enuəpuuo), 

pul ]ou oq :9]JON 

Sureuu ənbedo əv) u!ul)A 
¿PƏ19111sƏ3I ÁAlu8iH,, pəl|əqel 
Ədo|ƏAuƏə ul uoneuiioJu! Ə2e|d 
J!'etuu pə41əƏ1s!3Ə1] 

¿pƏ1913səy] Álu8iH, 

pəƏx*%eui iƏuieluo5/ədo|əAuə 
ənbedo pə|eəs 


ÁləƏ)eIpəuuuu! A1unoəəs 
Ə)eiodioO o) pəliodəi əq 1snui 
uoleuuoJu! pəso|3sIp io 3807 
pəure)qo sı uoneuuoJu! 

əu) Áq pəqlıəsəp Ayred əv) Jo 
yuəsuo2 əu) ssəlun uonpuloyul 
1Əuuolsn2 puəs 1ou 3snV/ 

səl1e]s pəli'un Əv) əpisino puəs 
O) Ailınəəs əleiodioo 3951002) 
suonein3sə, 

nödxə o) juəuniedədq şqe3əq 
UMHA. )2ƏUƏ “SƏ3B)S pənun əu) 
əpis)no şuəs surei3old səindüuloə 
40 “ƏHPANOS “E)Ep (E?luU?Ə) 104 
4ƏUAAO UOHPEULOŞUL 

Aq pəzuouıne əq 3snyy 

pəəu ssəulsnq əq 3snyy 
ədo|əAuə soləşul əv) 

uo əq 3Snul |əqe| Əv) !lieuu “Sa 
əu) u8nouu) 3uəs s|əqe| ə3eyəed 
1Ol1Ə]xƏ uo ,/Enuəpuyuo), 
eu Jou oq :9]ON 

Suijieui ənbedo 

Əv) u!UulA ,pəşəlsəy , pə|əqe| 
ƏdoləAuə ul uonepuloyul Ə2e|d 
suonən.nsul AsəAlləp əpnyoul 
,bəşəinsəy, 

pəxseui iəƏuie)uo5/ədo|əAuə 
ənbedo pə|eəs 


pəure)qo s! uoneuuoJu! 

əu) Aq pəqləsəp Med əv) Jo 
yuəsuo2 əv) ssəlun uonpuloyul 
1JƏuuol]sn2 puəs 1ou 3snV/ 

1ƏuAO UORPULO)UİL 

Aq pəziioulne əq 1snW 

pəəu ssəulsnq əq 3sn/y 
suonme|n3ə1u 

nödxə o) juəuniedədq şesəq 
UHA. )2ƏUƏ “SƏ3B)S pənun əu) 
əpısıno şuəs surei3osd səyndüloə 
40 ƏHPANOS “Ep fEOlUU?Ə) 104 
s3upyeul |eioəds ou 

uA 4Əute)]uoo/ədo|əAuə 3unnox 


|Jeujə]xə 1o əsiudiə)uə 
pəpuə)xə əu) 
o) Sulddıus/3ullEyy 


Information Security Policies, Procedures, and Standards 


132 


qenruisue) 

40) Əyep pue əumnuəldiəək AMON 

|Jellituusue1) o) 

aolid səquinu xe) ]9341403 AHHƏA 

idiəəəl yo UODPƏLLƏA 

pue uonspounou səsnbəqy 

yəəus fERTUİSUE-)/HƏAOƏ 

xey pəAosdde-əşeiodioə qoy 

əansorosip 

pəzuouıneun 1uəAƏə.d o) 1931O1d 

əuluoeul 

XE) ulO1J Á|Ə)]eIpəuuuu! ƏAOULƏN 

Sulpuəs 

Əsoyəq şuəldiəəl pəzuoune Aq 

pəsoşuoul si əuluəpul xey əinsuq 

1diƏ3Ə1 Jo UOREOLLİƏA 

pue uonspəounou səsnbəqx 

əansoyəsip 

pəzuuouneun 1uəAə1d o) )əəş)odq 

əuluoeul 

XE) uuO1J Á|ƏJeIpəuuuur ƏAOÜLƏN 

Aləyerpəulul Ailnəəs 

Ə)eiodioO o) pəşiodəl əq 3snul 

uoneuloyul pəsoləsip 40 3507 

juəuiə3euvui 

JƏAƏ|-1Ə321JJO Juəuniedəp 

Suneul3ıo əv) Aq uonezuoune 

UƏNHİAA HOLİĞ ƏAPU 1sSnW 
pəşəlisəy /luSiH 


qeniuisueu) 

40) Əyep pue əumn quəldiəək AMON 
qeniuisuea o) 

aonid səqulnu xe) ]9341402 ÁJHƏA 
idiəəəl JO UORPƏLNLƏA 

pue uonpəounou səlsnbəqy 

)Əəus fenuisuEan/1ƏAOƏ 

xey pəAosdde-əşeiodioə qey 
əsnsoyosip 

pəzuou)neun 1uəAə1d o) )2əşolq 
əuluopul 

Xe) uuO1iJ Á|Jə1]eIpəuuuui ƏAOULƏN 


1diƏ3Ə1 yo UODEOLLƏA 

pue uoneounou səsinbəy 
əsnsorəsip 

pəzuou)neun 1uəAƏə.d o) 3əəşolq 
əuluoeul 

XE) uuO1J Á|Ə]JeIpəuuuur ƏAOULƏN 


pəşəl)səy 


(pənunuoə) suısıupuəəyy uonəə)osq e)epq tunutiu!Ww 


)əƏəus |e]lluusue41/4ƏAOD 
xey pəAoidde-əl1e1odio2o qey 
əsnsoyosip 

pəzuou)neun 1uəAə1d o) )2əşolq 
əuluopul 

Xe) uuO1iJ Ájə1]eIpəuuuui ƏAOULƏN 


əsnsorosip 

pəzuouneun 3uəAə4d o) )2əşolq 
Əəuluoeul 

XE) uuO1J Á|Ə)JeIpəuuuu! ƏAOÜLƏN 


//uO əsr) feusəşul 


səul| əpis]no H1ƏAO 
|Jelliuisue4) Ə|itursOej 


sən 
Ə]e1odio2 u!uU)!A 
|Jelliuusue4) Əjiuurs52eJ 


uonm5ungj 


LI 1q1Ux4 


133 


Information Classification 


(pənunuo2) 


uoneuuoyul əv) o) 
ssə325e pəpuəneun Ao||e 3ouuE) 
pəəu ssəulsnq e u!A |əƏuuosiəd 

O) pəlluu| s! SSƏ99e ƏHƏUAA 
uol)e2o| pəllonuoə e u! əsn 

Əq o) uute|2 ÁƏu) 15U44/OUAA 

Əie uoneunsəp pue əəinos 

Əəu) ə!insuə /4IəAnisod )snyy 
Ainəəs ə)eiodiooS Aq pəAoidde 
pouləui e 3ulsn uoneuuJoJu! 

əv) 3d44əuə pue yull əunəəseəsn 
uondo əSessəul Sulsn 
,İenuəpuuo?, 0) AMAHISUƏS )ƏŞ 
Əq o) uulel? AƏv) 1e0UAVOUAA 

Əie uoneunsəp pue əəinos 

Əu) əins Á|qeuoseəi əq 3snyvy 
pəəu ssəulsnq e u!A |əuuosiəd 
O) pəliuui| s! SsƏ99e ƏLƏUAA 
uOol)e2o| pəllonuoə e u! əsn 
Annəəs ə)eiodiooO Aq pəAoidde 
pou)əui uondAsəuə ue əsn 3snyvy 
Sujpuəs 

Əsoyəq 1uəidioəi pəzuoune Aq 
pəioniuoui si Əu!u2eui xe) əinsuq 
uond4səuə puə-o3-puə əsr) 
əSeulu xey ulpşəi you səop 
)uəuudinbə Sülələəəl əinsuq 


uonmeuuoJui! əv) o) 
ssə523e pəpuəheun Ao||e JjouueO 
pəəu ssəulsnq e uA |əuuosiəd 

O) pƏluui| s! ssə99e Ə1ƏUA 
uoneəol pəllonuoə e u! əsn 

Əq o) uute|3 AƏv) 10UAWOUAA 

əre uonepunsəp pue əəinos 

əu) əins Alqeuoseəl əq 1snW 
Auinəəs ə)eiodioo Aq pəAoidde 
pouşəul e Sulsn uonpuloyul 

əu) 1dÁu3uə io yull əinəəs e əsn 


uondo əSessəul Sulsn 
,)enuəpuuo?, 0) A3Ansuəs əs 
pəəu ssəulsnq e u!A |Əuuosiəd 
O) pəliuui| s! SSƏDƏE ƏLƏÜAA 
uoneəo) pəllonuoə e ul pəsn 
Aynəəs ə)eiodioo Aq pəAoidde 
pou)əui uondAsəuə ue əsn 3snyvy 


əSeuul xey ure)əi you səop 
)yuəuudinbə Sülələəəl əinsuq 


əuoÁue 
O) p4EAA40) O) 3OU luə!di53115Ə1iq Hİ 
uondo əSessəul Sulsn 
,İenuəpuuo?, o) A3Anisuəs 3əs HE 
Ainəəs ə)eiodioo Aq pəAoldde 
pouləui uond4souə up əsn 3snyy HE 


SAOAMƏU Əpisino 
usnolu) |!euu-3 


YHOAA)ƏU ə)eiodio5 


sjuəuiəuinbəu şqerlsəds ON Hİ UIUHA, HEUu-4 


Information Security Policies, Procedures, and Standards 


134 


Əq o) uulel? ÁƏu) 1e0uwWOUA 

Əie uoneunsəp pue əəinos 

Əu) əinsuə //ƏAHISOd 1]snW 

pouləui 

Aunəəs əleiodioo Aq pəAoidde 

pouləui e Suisn uoneuuJoJu! 

əu)3d44əuə pue yull əunəoəseəsn 

SƏSnMIA 1OJ UEOŞ 

sjunoo232e 

Áxoid ||eAƏ11J Suisn anəəo 3snyy 

Əq o) uute|9 ÁəƏu) 1e0uWOUA 

Əie uoneunsəp pue əəinos 

əu) ə!ins Á|qeuoseəi əq 1snW 

pə1dÁuouə əq 1snui uoneuuJoJu| 

pəəu ssəulsnq e u!A |əuuosiəd 

O) pəliuui| s! SSƏDƏE ƏHƏUAA 

uoneəo) pəllonuoə > u! əsn 

əuoÁue 

O) p4EAA10) O1]1ou Juə!di52Ə112əƏuiiq 

uondo əSessəul 3uisn 

,)enuəpuuo?, 0) A3Ansuəs 3əs 

səl]e]s pəli'un əv) əpisino puəs 

O) Azlınəəs əl)eiodioo 355)uo2) 

Aləyerpəulul Ailnəəs 

Ə)eiodioO o) pəşiodəl əq 3snul 

uoneuluoyul pəsoləsip 40 3507 
pəşəlisəy ÁAluSIH 


Əq o) uuleq? ÁƏu) 1e0uwOUA 

Əie uoneunsəp pue əəinos 

Əu) əins Á|qeuoseəi əq 3snyvy 
Aınəəs 

əjeiodioo Aq pəAosqdde 
pouşəul e 3ulsn uonepuloyul 
əv) dAləuə 40 yül) ərnəəs e əsn 
SƏSnHIA 10) ue3S 

Sıunoəoe 

Áxoid ||eAAƏ11J Sulsn inəəo 3snyy 


pəəu ssəulsnq e u!A |əƏuuosiəd 
O) pəluu| S! SSƏ999e ƏHƏQAA 
uol1)e2o| pəllonuoə > u! əsn 
əuoÁue 
O) p4EAA10) O)]]ou Juə!di52Ə112əƏuiiq 
uondo ə8vcvssəui Sulsn 
,)enuəpuuo?, 0) A3lAnsuəs əs 
səl]e]çs pəli'un əu) əpisino puəs 
O) (3unoəs əleiodioo 355)uo2) 
ÁləƏ)eIpəuuuu! Ailnəəs 
Ə)eiodioO o) pəliodəi əq 1snui! 
uolnmeuuoJu! pəso|3sIp io 1]so1 
pəƏ1o2!43səu 


(pənunuoə) suistueu99W uonəə)osq e)epq tunut!u!W 


SƏSDLIA 1O) ue5ç M 


sıuno22E 


Axoud ||eAAƏ411J Sulsn anəəo 3snyiy Hİ 


sjuəuiəuinbəu |ei5əds oN Hİ 


//uO əsr) Ieuiəlul 


SYHOAA)ƏU 


əpısıno u8nouu) (414) 
1JƏJSuP1] əli 3Əiuo1]2Ə|4 


(səssə5oid 

Jenueui 40 pəşeulo)ne 
PIA) NHOAMƏU 
Ə)e1odioo ulu, (414) 
1ƏJSue1] əli 3Əiuoi]2Ə|3 


uonm5ungj 


LI 1q1Ux4 


135 


Information Classification 


(pənunuoo2) 


Aəyprpəulul AlLnəəs 
Ə)eiodioO o) pəşiodəl əq 3snul 
uoneuluoyul pəsoləsip 40 3807 
(AArəpul 

yo Əuin uinuuiuiui 0 SUlAOİİO) 
uonəesue.) o) uoneoənuəuneəi 
əanbəi “3"ə) uonəpsuru) 
1Əuuol]sn2 ƏAH?EP ue UlUAA 
pəssəəoud Suləq uoneuuoşul o) 
ssə325e pəpuəşneun Ao||e 3ouuE) 
pəəu ssəulsnq e u!A |əuuosiəd 
O) pəlluu| s! SSƏDƏE ƏHƏVAA 
uoneəo) pəllonuoə e ul əsn 
Aunəəs əleiodioo Aq pəAosqdde 
pouləui e 3ulsn uoneuuJoJu! 
əu1 1dÁu3uə io yull əinəəs ° əsn 
s)Ju8u ssə22e ə]e!idoidde 
ute]qo o) SIƏUAAO UOHPULOŞUİN 
Aq pəAoidde sə|oi əuiJəq 
sə)e)s pəliun əu) əpisino puəs 
O) Azlınəəs əl)eiodioo 355002 
Aləyerpəulul Ailinəəş 
Ə)ejodioO o) pəşiodəl əq 3snul 
uoneuloyul pəsoləsip 40 3507 
uonepuuoşul Əu) o) 

ssə525e pəpuəneun Ao||e JouueO 
pəəu ssəulsnq £ ul!A |əƏuuosiəd 
O) pəliuui| s! SSƏDOE ƏLƏÜAA 
uoneəo) pəllonuoə e u! əsn 


Aləyprpəulul Ailunəəs 
Ə)eiodioO o) pəşiodəl əq 1snui! 
uoneulsoyul pəsoləsip 40 3507 
(AArpopul 

yo Əuin uinuuiuiuui 0 SUlAOİİO) 
uonəesue.) o) uoneənuəuneəi 
əanbəi “3ə) uonəpsuru) 
1Əuuo]sn2 ƏAH?P ue UlUlAA 
pəssəəoud Suləq uoneuuoşul o) 
ssə325e pəpuəneun Ao||e 3ouuE?) 
pəəu ssəulsnq e Un A, |əuuosiəd 
O) pəlluui| Sİ SSƏDƏE ƏHƏUAA 
uoneəo) pəllosnuoə e ul əsn 
Aunəəs əleiodioo Aq pəAosqdde 
pouləui e 3ulsn uoneulloyul 
əu) 1dÁu3uə io yull əinəəs e° əs) 
S)u3ii ssəəəe ə]eiudoidde 
ute]qo o) SIƏUAAO UOHPULOŞUİN 
Aq pəAo,dde sə|oi əuəq 
SƏ)B)$ pəşun əu) əpisino puəs 
O) A/zlınəəs əl)eiodioo 355uo2) 
Aəyerpəulul Ailnəəs 
Ə)eiodioO o) pəşiodəl əq 3snul 
uoleuuoJui! pəsoləsip 40 3507 
uonepuuoşul əv) o) 

ssə525e pəpuəneun Ao||e JouueO 
pəəu ssəulsnq £ ul!A |əƏuuosiəd 
O) pəliuui| s! SsƏ929e ƏLƏUAA 
uo1)e2o| pəllonuoə e u! əsn 


Ayunəəs ə)eiodioo Aq pəAoidde 
pouşəul e Suisn uoneuloyul 


Əu) 1dÁi3uə io yull əinəəs e əs Hİ 


Suissəooid 
uonəepsue.) 2!uO4)23|43 


Information Security Policies, Procedures, and Standards 


136 


Suissəooid ssəulsnq 

"Sul 1Ə33o1idçs o) ə|qe3!|dde 

e)ep ilen 1ipne pue 3o) əseus Áəu) 

Yev) siluəuiəuinbəi əpnpui 3snul 

s)uəuuəəi38e 1əƏulied ssəuijsng 

səlrod 

uO1l)uƏ19Ə1 pio2331 “ul 1Ə33oids 

o) SuIpio2322e Əul|JJO s38o| üleləv 

ASeino2e Sol 

Əinsuə o) pəziuoiu3uÁs S?olə 

suoneolunululoə pue iə)nduioo 

S3UƏAƏ 

YÜPAƏTQƏLM-Ziinəəs iəul)o pue 

suondəəxə pio3ə1 s|!e1) 1ipny 

suiə|qoid 

pəliodəi-iƏsn o) Su!39o| )Inej 

SUOHOE ƏAl]934141OD5 

“S1O14Ə o) S8o) 1ole1ƏdO 

SSƏƏƏE 4O) UOSPƏL JO p4ooəM 

upıpo)snə 

uonepuuloyul Aq AHEp AƏLAƏN 

ep pəinənis 

40) sidülənb: ssəəəp pəlrey 307 

pəssəəəe uoneuloyul pəin)ən./)s 

əuun pue “əşep “q 4əsn psooəy 

sə)e)Ş pəli'un Əv) əpisino puəs 

O) Azlınəəs əl)eiodioo 355)u02) 
pəəlisəy //uSiH 


Sulssəoold ssəulsnq 

"Sul 3əyəolds o) əlqeərdde 

e)ep len ipne pue 3o) əseus Aəv) 
Ye) sJuəuuəuinbəi əpnioul 1snuu 
s)uəuuəəi38e səuşied ssəujsng 


"sərərqod 

uonuəşə: pio2Ə1 “ul 3əyəoids 

o) SuIpio22e Əul|JJO s3o) üleləv 

Aopunəəop 3ol 

Əinsuə o) pəzliuoiu3uÁs Sy?olə 

suoneəlunululoə pue 1ə)nduioo 

sJuəAə 

YÜPAƏTQƏLM-Z)inəəs iəul]o pue 

suondəəxə pio3ə1 s|!e1) 1ipny 

suiə|qoid 

pəliodəi-iƏsn o) Su!39o| 1|nej 

SUOHOE ƏAl]9311O05 

“S1O11Ə 1OJ So) 1O]e1Ədo AƏLAƏN 

upıpo)snə 

uonepuuoyul Aq ÁPJƏƏA MƏHAƏN 

ep pəinənns 

40) sidülənp ssəəəep pəlle) 3o7 

pəssəəəe uoneuloyul pəin)ən.)s 

əuun pue “əşep “qi 4əsn psooəqv 

sə)e)Ş pəli'un Əv) əpisino puəs 

O) Ailinəəs əl)eiodio2o 13el]uoo 
pəşəusəy 


Sulssəoold ssəulsnq 

"Sul 3əyəolds o) əiqeərdde 

e)ep len ipne pue 3o) əieus Aəv) 
Yev) sluəuuəuinbəi əpnioul 1snui 


sjuəuiəəi8e səuşred ssəulsnq Hİ 


sərəryod 
uonuəşə: puoəəl “ul 3əyəolds 


o) SuIpio22e əullHo s3o) ure)əu IN 


pəssəə5E£ uoneuloyul pəln)ənlns 


Əuin pue “əşep “q 4əsn psooəM Hi 


//uO əsr) Ieuiəlul 


əsiudiə)uə 
pəpuə1)xə uuo1J 
ssə322e Jo 3ul38o7 


SuuƏ1sÁs 10 SƏll|!2eJ 
Ə]Jeiodio2 ULUNHAA 
ssəəəp Jo 3ul33o7 


uonəounq4 


(pənunuoə) suistueüu99W uonəəşosq e)epq tunutiu!W 


LI 1q1Ux4 


137 


Information Classification 


(pənunuoo) 


Ssıuəuləsinbəi Surlpucu 
uoneuoyuı Áueduuo2 1Əu1o 
UMA, ]uəuuəə1i9ep |en)2e1luo5 

Əu14o1uəuiə83eueN spi0o23Ə2] UNA 
əəuep.:o??e ul “Ə|qe3i|dde uəƏuAA 


s8o| u5ns ssə322e o] pəəu £ Ul/A 
sipnpiAlpul pəzlioulne Á|uo o) 
pƏliuui| sSƏ32e UNA eƏ1e pəin2əs 
p u! Á|qe1əJƏid “'uone|nuinəoe 
Sol o) pƏ1e3!pəp HƏAHƏS 
Əşesedəs e o) s3oi 3ıpne Ádoo 
Aopuanəəp Soy 

Əinsuə o) pəzluo/u9u4S s3J3o|5 
suomeoziunuuuio32 pue səindulo) 
sJuəAə 

)upAƏ|ə4-/A)IInoəəs 1əul]o pue 
suondəəxə pio23ə1 s|!e1) 1ipny 
suiə|qoid 

pəliodəi-iƏsn o) Sul33o) 1Ined 
SUOH?E ƏAl]9311OD5 

“S1O11Ə 1OJ s3o) 1O]e1Ədo AMƏLAƏN 
SSƏƏƏE 1O) uoseəi p4O2ƏN 
ueıpo)snə 

uonepuuolul Aq AHEp AƏIAƏ1] 
e)ep pəsnəəni)s 

40) sidüləne  ssəəəp pəfle) 307 
pəssəəəe 

Əuun pue “əşep “QI 4əsn p4ooəMy 


sıuəuləsinbəi Suilpueu 
uoneuoyuı Áueduuoo2 1Əu1o 
UMA, Juəuuəəi3e |en]oedJluoo 
Əul11oluəuuəS8euelN, Sp4O32Ə3J UJIAA 
əəuep.:o??e ul “Ə|qe3!|dde uəƏuAA 
s8o| u5ns ssə22e o) pəəu £ Ul 
sienpiAlpul pəziroune Á|uo o) 
pƏliuui| SSƏ?2E UNA BƏR pəinəəs 
p ul A/qesəyəid “üonEynülnəəe 
Sol o) pəşp?lpəp HƏAHƏS 
əyeaedəs e o) s3ol )ipne Ádoo 
Aopunəəe Soy 

əansuə o) pəzliuoiu3uÁs s?olə 
suomeoziunuuuio3 pue 1ə)nduioo 
S3UƏAƏ 

YÜPAƏTƏLM-Zinnəəs iəulo pue 
suondəəxə pio3ə1 s|ie.) 1ipny 
suiə|qoid 

pəyiodə,-səsn o) Su!39o| 1Ined 
SuO!I)2e ƏAl]9311O0D5 

“S1O11Ə 1OJ S3O) 1O]e1Ədo AƏHAƏN 
ueipolsn5 

uonmeuuoJui! Aq ADİƏƏAA AMƏİAƏN 
eyep pəsnəəni)s 

40) sidülənp ssəəəep pəlle) 3o7 
pəssəəəe 

SEA, uOl)euulOJu! pəinən.ns 
Əuun pue “əyep “qll 4əƏsn psooəy 


sjuəuiəuinbəi Suilpueu 
uonmeuuiojui! Áueduuoo2 1əƏu1lo 
UMA, Juəuuəəi38e |en]oei)uoo 
Əul11oluəuuəS8euelN, Spi4O3Ə3J UJIAA 


əəuep.o?oe u! “Ə|qe3!|dde uəƏuAA IB 


səsiuiəid 
Ə]Jejiodio2o u!uU)A 
qesodsıp /uonənnsəq 


Information Security Policies, Procedures, and Standards 


138 


pouləui 

Ə)eiodio2o e 3ulsn 3uluinq 

Aq pə/onsəp 40 “uƏlBlAAƏAO 
Ayəşəqdusoə “pəssne3əp əq 3snul 
SƏALIp pieu pue “sənəysip “səder 
əlqepeəlun uoneuuoJui! 

Əu) səpuə,: o) HqəuuPul 

e ul pəusilduloəəp əq 1snW 
e)]ep əv) JO uononilsuo3əi 
YüəAƏLd o) uonguuioJu! 
Adoə-p.eu pəiuus-ssoiO 

pəunou 

Əq 3snul iƏuAO uoleuuioJu| 
suq use4) Aunəəs 

ul siəded əəpyd “seəie Adoə ul 
aedəl 10) 4OPUƏA 

O) Sulpuəs əƏiojəq UƏNHAMƏAO 
Əq 3snul eIpəui ənəuSeul 
pəSeurep 40 əAnəəyəp uo vq 
pə4osəp 40 “UƏHHAMƏAO 
Aləşəlduloə “pəssne3əp əq 1snui 
SƏALIP pieu pue “səməysip “səder 
e)]ep əu) 

JO Alılıqepeəi pue uononnsuooəl 
)uəƏAƏid O) uoneguiioJu! 
Adoə-p.eu spouləui əleiodio5 


Sulsn uinq 40 pəlüs-sso2 IB 


pəşəlisəy /luSiH 


pou]əuu ə)e1odio2o e 3ulsn 3ulumnq 
Aq pə/o.səp 40 “UƏRHAMƏAO 
Alə)əyduioə “pəssne3əp əq 1snuu 
SƏAHD pseu pue “sənəysip “səde[ 
Əə|qepeəiun uoneuuoJu! 

Əu) 4əƏpuə1i o) i9uueui 

e ul pəusilduio22e əq 1snW 
e)]ep əv) JO uon3ənulsuo3əi 
)uƏAƏ1d O) uoneuuoJu! 
Adoə-p.eu pou)şəul ə)]e1odio5 
Sulsn uinq 40 pəius-ssoiOƏ 


aredəl 10) 1OpuəA 

O) Sulpuəs ƏioJjəq UƏNHAAƏAO 
Əq 3snul eIpəui ənəuSeul 
pəSeurep 40 ƏAl12ƏJƏp uo pq 
pə/o.səp 40 “UƏRHAAHƏAO 
Aləşəlduloə “pəssne3əp əq 1snui 
SƏALIp pieu pue “sənəysip “səder 
e)ep əu) 

qo Alılıqepeəs pue uononnsuooəl 
YUƏAƏLNd O) uoneuiioJu! 
Adoə-puseu spou)əul əl]e1odioo 


Sulsn uinq 40 pə/üs-sso? İli 


pəşəl)səy 


e]ep əv JO uonənnsuo2oəl 
S3UƏAƏLd 3Eu) pouləui e əsn Hİ 
eyep əu) Jo Ailiqepeəl 
pue uonən.nsuoə?ə, 1luəAəid 
o) uoneuuoJui Ádo2-pieu pəlqs Hi 


Ə)S HO 
lesodsıp/uonənnsəq 


USE.) u! Jo əsodsip 
!syuəuuəuinbə:i |ei9əds ON Iİ 


/uO əsr) feusəşul uonəun. 


(pənunuoə) suistueu99W uonoə]oad eyeq uinutuinw LIL 3qlux4 


139 


Information Classification 


(pənunuo2) 


s)eəuiu) |eJuəuluouiAuə pue 
upulnu u1oq uo1J uo!oənia1səp 
1o “Ə8euuep “sso| ulOiJ eIpƏui! 
Əiuo4)2ə|ə paen3əyes o) uəye) əq 
1snul əzə uoneyaodsup.n Sunq 
ƏƏlAHƏS səlinoə 

e 40 |əƏuuosiəd pəzuou)ne 

Aq pəşsodsuc.un əq 3snyy 

Əpisəi səldoə 

feul3110 Əv) Ə4ƏuA Ə)S Əv) ulO1J 
Sə|luu ƏAH 3SPƏ) 3E pəiols əq 1IsnW 
səlio]9Ə4Ip 

1ƏAHƏS 40 SƏ]1Ə3sIp o) dn pəyəeq 
əq 3snul səAlıp (doşde)) feoo7 
AHeyn3əs dn pəyəcq əq 3snyv 
uononi1səp 40) ə1!s-JJO 
)uəssiuoneuliioJuiuəuA pəunou 
əq 3snul iƏuAoO uolneuiioJu| 
Ə3IA4ƏS Əv) Aq uoluuloJul! 
pəsodsıp Əu) Jo 3uəuləəgidsiui 10 
Surlpurusiui SŞƏXLAMƏS Əv) 0) pƏ]e|Ə1 
sənssı AlIIQEII SƏAOƏ SƏÖlAHƏS 
qesodsıp uA S)25)uO2 əinsuq 
suq use) Ainəəs 

ul siəded əəpld “seəie Adoə ul 
Anəəs ə)eiodioo Aq 

pəAosdde sopuəA fEsodsip ° əsn 
pəppə.us 

AəuH Əq 3snul əu3!JOJ3!W 


s)eəuiu) |eJuəƏutuouiAuə pue 
upulnu u1oq uo1J uo!oənia1səp 
qo “Ə8euuep “sso| uuOiJ eIpƏui 
Əiuo4)2ə|ə pien3əjJss o) uəye) əq 
y)snuu əzə uonel1iodsue4) Sulinq 
Ə?lAHƏS 1Ə!1noo 

e 40 |əuuosiəd pəzuou)ne 

Aq pəliodsue1) əq 1isnW 

Əpisəi səldoə 

(eul3110 Əv) Ə4ƏuA Əlls Əu) ulO1J 
Sə|luu ƏAH 3SPƏ) 3E pəiols əq 1snW 
səlio]9Ə4Ip 

1ƏA14ƏS 40 SƏ]1Ə3sIp o) dn pəyəeq 
əq 1snuu səAlıp (dolde|) Ie52O7 
ÁlHe|n3əi dn pəyə2eq əq 3snyv 


ƏD3IAJƏS Əu) Aq uoneuuoJul 
pəsodsıp Əu) Jo 3uəuləəgidsiui 10 
Sullpueusiui SŞƏ?İAHƏS Əv) O] pəşpyəl 
sənssı A1IIIQEII HƏAOƏ SƏOİAHƏS 
qesodsıp uA, S)25.uO2 əinsuq 
sulq use) Ainəəs 

ul siəded əəpld “spəle Adoə ul 
Anəəs ə)eiodioo Aq 
pəAosdde sopuəA fEsodsip ° əsn 
pəppəlsus 

Afəul Əq 3snul Əu3!JOJ3IW 


Alqeryəi əinsuə 

o) AHHeyn3əs e)ep dn3oeq 3səl 
eyep dnəşoeq Jo suonesəuə8 
ƏƏ.) 1seə| 1E pəule)əN 

ƏxLO 

ao 4əulqsə %səp pəyəol JOoidəu!J 
p u! eIpəui dnyəeq əinəəs 
SsəƏiio)2ƏuiIp 

1ƏA4ƏS 10 SƏ1]Ə3sIp o) dn pəyəeq 
əq 1snuu səAlip (dolde|) Ie52o7 
ÁlHe|n3əi dn pəy2eq əq 3snyv 


AHƏAO?ƏL pue dny3eg 


Information Security Policies, Procedures, and Standards 


140 


siə8eueu səsn 40 siəsn 

uomeguuioJu! Aq Əlq!sSsƏ229° ]ON 

uonepərdde 

Əu) u!uliA A3Lnəəs ||e 1uəuinooq 

SIOnuoə 

Əyenbəpe əunsuə o) Ailenuue 

1seə| 3E pə)5ədsu! əq 3snul 

səniyəey ə8eio)s dnypeq əşis-HO 

sjuəuiəuiibəi ƏAIUD24e jJuəueuujəd 

pue spoiiəd uonuə1əi ÁJiluəpi 

Ayqeiyəi əinsuə 

o) AHeyn3əls e)ep dn>3oceq 3sər 

ep dnyoeq Jo 

SUOHE4ƏUƏS əə1u) 3SPƏ) 3£ ülenəN 

suosuəd 

pəzuuoune 4q Á|uo əlqissəəəe 

Əq 1snui eIpəui dnyoeq 

vəşsesip ueuinu 

40 |ein1eu p yo s)23JJƏ Əuues 

Əu) SuLəyins uuo1J 31 əpniəəid 

IHA 18u) uoneo2o| £ u! Ə)iS HÖ 

pə.o3S əq 1snui səAluəse dnəşoeg 

suosiəd 

pəzuuoune Áq Áluo ə|qissə325e 

pue Əl pue 1eəu 1suie3e 

19Ə1o1id o pəlei əƏJes 10 1|neA 

JOooidəuij e u! pəio)s əq 1snui 

sdny)2eq sənili3eJ “ul 1Ə35oids 
pəşəlisəy ÁAluSIH 


siə8eueui 1Əəsn 40 siəsn 

uoneuuoJui Aq ə|q!ssə322e ]ON 

uonesoidde 

Əul uIuliA /(üiin2əs ||e 1uəuinooq 

SIOnuoə 

Əəşenbəpe əinsuə o) Ailenuue 

1)seə| 3E pə)5ədsu! əq 3snul 

səniyəey əƏ8eio)s dnypoeq əşis-HO 

sjuəuiəuibə: ƏAIUuD21e jJuəueuujəd 

pue spoliiəd uonuə]əi ÁJlluəpi 

Aınnqeiyəi əinsuə 

o) AHeyn3əls e)ep dnyəeq 3sər 

ep dnyoeq yo 

SUOHE4ƏUƏS əəiu) 1seə| 3£ ülenəN 

suosiəd 

pəzuouıne 4q 4luo ə|qissə5232e 

Əq 3snul eIpəui dnyoeq 

qəşsesip ueuinu 

40 |ein1eu p Jo s)23JJƏ9 Əuues 

Əu) Suujə]jns uuoiuJ 31 əpniəəid 

IIHA eu) uoneo2o| £ u! Ə)iS HÖ 

pə.o3s əq 1snui səAluəlse dnəəeig 

suosiəd 

pəziou)ne 4q Áluo ə|qissə352e 

pue Əli pue 1eəu 3surese 

19Ə1Oo1d o) pəlei əJes 10 1|neA 

Jooidəuij e u! pəio)s əq 1snui 

sdny2eq sənili3eJ “ul şəyəoqds 
pəşək)səy 


Ayunəəs sulə)s4s 3ünpaədo 
Əypudosdde şuəuləldur HE 
uonpərdde 
Əu) u!uliA A11Hn2ƏS /IE Juəuinə2ooq IB 


Əpoə suonpərdde 
“ƏYPAMNOS Alilhn 'u.Ə)sÁs 
Sune.ədo “Ə1eADieUu 
10) uonel)uəuinoodq 


SIOnuoə 
ə)enbəpe ə:nsuə o) Aıfenuue 
)seə| Je pə)oədsu! əq 3snul 

səmni|i9eJ Ə8e1o)s dnöşeq əşs-HO İİ 
sjuəuiəiinbəi ƏAI!u34e Juəueuuiəd 

pue sporuəd uonuə)əiu Aimüuəpi IB 


/uO əsn Ieuiəlul uolnməsunz 


(pənunuoə) suısıupuəəyy uonəə)osq e)epq tuunutiu!W 


LI 1q1Ux4 


141 


Information Classification 


(pənunuo2) 


əpeuı əse səldoə pəziouneun 
aəvlini ou əinsuə )snuu 

səldoə pəzuouıne Jo siuəldiəəN 
,bəyəinsəq 

AIUSIH , se uoneuulioJu! 

Əu) Sulurequoə eIpəu 

yo səldoə le |jəqe| pue səqulnu 
pue psooəz uonnqı.sıp urequleul 
)snui əşeSələp uonepudloyul 

40 4AƏUAAO UOHPEULOVUİ 

ƏşeSələp uoneuuJoJu! 

40 1AƏUAAO UOHEULOŞUİN 

Aq pəzuouıne əq 3snyy 
ƏşeSələp/HƏUAO UOHPULOŞUL Əv) 
O) s3uoləq uonpuloyul Aşisseysəq 
40 ÁjJisse|3əp o) Aşlrovne əul 
s|ie]əp 3!Ji59əds 

10) Juəui)iedəq] qe3ə? Jos)juoo 
Anuə sui şəyəolds 

-uou ul4A ]uəuiəə18e 40 ]92e1)uoo 
JO su) o) Suipio322e 1]23]O1d 
supıpo)snə 

uoneuuolul Aq Á|uo əlqissəəəvy 
pəujipoui Suləq uuoiJj ]93]O4d 
Ayunəəs suuiə1sÁs 3uneiədo 
Ə)e!udoidde lJuəuuə|[duul 

İƏAƏ) 

sıu) 40) əyeuidoadde se pəşəəşolq 


ƏşeSələp uoneuuJoJu! 

40 1AƏUAAO UOHEULOŞUN 

Aq pəzuouıne əq 3snyy 
ƏşeSələp/HƏUAAO UOHPULOŞyUL Ət) 
O) s3uoləq uonpuloyul Aşissepəəq 
40 Ájisse|3əp o) Aşlrouıne əu l 
s|i!ie]əp 3!Ji3əds 

10) Juəun)uiedəq] |e8ə7] Jos)uoo 
Anuə sui şəyəolds 

-uou ul!A ]uəuiəə18e 40 ]9e1)uoo 
JO SuuiƏ] O) Suipio22e )?əşold 
sueplpo)snə 

uonepuuo,ul Aq Aluo əlqissəəəvy 
pəmpoul Suləq uo ]293]O1d 
Ayunəəs suiə1sÁs 3ünpaədo 
Əypudosdde lJuəuuə|[duul 

İƏAƏ) 

sıu) so) əyeuidoadde se pəşəəşolq 


ƏşeSələp uoneuuJoJu! 

40 1ƏUAAO UOHEULOŞUİN 

Aq pəzuouıne əq 3snyy 
ƏşeSələp/HƏUAO UOHPULOŞUL Əv) 
o) s3uoləq uoneuuoyul AHsseyəl 
40 Ájisse|3əp O) Aşlrou)ne əul 
s|ie]əp əniəəds 

40) şuəunuaedəq) qe3ə? 12e)uoo 
Anuə sui şəyəolids 

-UOU uA 1]uəuiəə19e 10 ]92e11uoo 
JO Suu4Ə] O) Suipio22e 1]9Ə]O4d 


pəiujipouu Suiəq uo ]93]O1d 


uonmeuuioJu! 
qo 3urAdoə 
pue uoneərdnq 


Auou)ne 
ÁJisse|2əu/ÁJisse|2əq 


uolnguloJu! 
"Sul 1JƏ33oids 
-uou SullpueH 


s3o) 
SUVƏ)S4S pue )ipny 


Information Security Policies, Procedures, and Standards 


142 


SuO1)2141SƏ1 
uonnqınsıp pue Ádoo 
sjuəuiəuibəi əinso|3sIpuoN 
pop ,pə]D9113sə:] AIUSİMH, 
Sun?əşold soy sjuəuuəiinbəzl 
“Əpnroul 3snul suonipuoə 
:s]Joe11uoo u! pəluəuinəoop 
əq 1snui suonijpuoo /ilnəəş 
SsıoEnuoə 
ssəulsnq Illlnı o) pəsinbəl 
uonmeuuoJu! O) Á|uo ssə223v 
pəlud 
səldoə Jo səqulnu əv) qonuoə 
)snui SAƏUAAO UOHEULİOVUİ 
sjuəuinoop pəşəlnsəl AluSiuq 
1Əu]o pue s33Əu3 Jo ə5uəsəid 
Əu) soy Aep ssəulsnq u2oeə Jo puə 
Əu) 3£ pəyəəu? əq 1snui siəşuliq 
Sunulud əu) JO uoneinp 
Əu) 40) uoneuuoJul! Əv) o] ssə322e 
pə)ue1i8 uosiəd e Áq pəpuən əq 
)snuu səşurid əv) “pəusi|duio325e 
Əq 1ouup23 SsIUu] H !ssƏ523e ƏAPU 
AAOU3-03-pəəu e Suneilsuouiəp 
JgƏuuosiəd pəziioul)ne 
Á|uo u3!uA O) s]JuəuiuouiAuə 
pəlonuoə ul siəluiid 


O) Á|uo Juəs əq Isnui uoneuuJjoJju IB 


pəşəlsəy ÁAJuSIH 


SuO1)314]SƏ1 
uonnqıunsıp pue Ádoo 
sjuəuiəuinbəi əinso|3sIpuoN 
ep , pƏ)D9111sƏ1l, 
Sunəəşold so) s)uəuiəuinbə3 
“Əpnroul 3snul suonipuoə 
!sjpoe1uoo u! pə)uəuinəop 
əq 1snui suonijpuoo /ilinəəş 
SıoEnuoə 
ssəulsnq Illlnı o) pəsinbəl 
Unu Oyu O) Á|uo ssə22v 
pəluud 
səido2o Jo səqulnu əv) qonuoə 
)snui SAƏUAAO uoneuuJoJu| 
sjuəuinəoop pə)13141sə1i 
1Əu]o pue s33Əu3 Jo ə5uəsəid 
Əu) soy Aep ssəulsnq u2oeə Jo puə 
Əu) 1° pəyəəuv? əq 1snui siəşuliq 
Sunulud əu) JO uoneinp 
Əu) 40) uoneuuoJul Əv) o] ssə322e 
pəşup.3 uosiəd e Aq pəpuəne əq 
)snuu səşulid əv) “pəusiltdulooop 
Əq 1ouup23 sl) J! “SSƏƏ2E ƏAPU 
AAOU3-03-pəəu e Sunensuouiəp 
JƏuuosiəd pəzuoune 
A/UO u3!uA O) s]JuəuiuouiAuə 
pəlonuoə ul siə)Juid 


O) Á|uo Juəs əq Isnu! uoneuuJjoJju l İİ 


pƏ132!43səs 


SuO1)2141SƏ1 
uonnqınsıp pue Ádoo 
sjuəuiəuibəiu əinso|3sIpuoN 
ep ,Ájuo əsn Ieuiəlui, 
Sunəəşold so) s)uəuiəiinbə3 
“əpnoul 3snul suonipuoə 
!sjoe1uoo u! pə)uəuinəop 
əq 3snul suonijpuoo /ilinəəş 
sıoEnuoə 
ssəulsnq Illlnı o) pəsinbəl 


uonpuuoyul o) Á|uo ssə55v HE 


Sunulud əu) JO uoneinp 

Əu) 40) uoneuuoJul Əv) O) ssə322e 

pəşup.:3 uosiəd e Aq pəpuəne əq 

)snuu səşurid əv) “pəusi|duio325e 

Əq 1ouup23 slü) H “SSƏƏƏE ƏAPU 

AVOU-O0)-pəəu e Suressuouləp 

fəuuosisəd pəzuoune 

A/UO u3!uA O) s]JuəuiuouiAuə 

pəlonuoə ul siəluiid 

O) A/UO Juəs əq Isnui uoneuuJoJu| 
//uO əsn Ieuiəlu| 


ssəə?p Aled-pulu 1 


Sunuluq 
uonəun4 


(pənunuoə) suısiupuəəyy uonə?ə)odq e]edq ulnuuly LIL 3iqlux4 


143 


Information Classification 


(pənunuo2) 


uoneərdde 
10 uonvuuJoJu! Əv) o] ssə322e 
Sulure3 o) solid o]op ,pəşərnsəy, 
AIUSIH doy Asessəəəu sionuoə 
pue s)uəuuəuinbəi Aininəəs ep 
Əu] po) əq 3snul e]ep Əv) UNA 
pəyeroosse sə|oi Sullluln) suosiəq HE 
Ayun?əəs soy pəəu əu) pue]siəpun 
Aəu) əinsuə o) Suute1) 
SSƏUƏNEARP Aylinəəs əjenbəpe 
ƏAIƏ3Ə1 1)snui E)Ep Ət) UNA 
pəleioosse sə|oi Sullluln) suosiəq HE 
Aunəəs 
Ə)eiodiooO o) /ləyprpəuiuil 
pəliodəi əq 3snul suoneE/olA Iİ 
pəusılqeşsə əq 3snul sənied 
psnu) 40) sionuoə ə)erudoiddv HE 
4nəəo 3snul 
(sISAyeuE) uonsonnuəpi ?six HE 
sue|d Aınunuoə ssəulsnq 
Ayred-palu) yo uonenieAq 
s|ojjuoo 
|Jeuiə)ui Aqqed-palu) JO AMƏİAƏN 
sələiod :3u| 1Ə335oidçs Jo 
Suol]e|o!A SnOI!AƏ1d 10) u541eəs 
uone3nsəAul puno/3)oeq 
snə2o )snul SulM—o/lo) 
Əul5enuoj3olurSuuəluəəioJjəg HE 
səniliqisuodsəi UODPONDON 


uonpərdde so uonepulolul 
əu) o) ssəəəp Sulule3 o) solid 
ep ,pəşənsəş, qoy Azessəəəu 
SION)uO2 pue s)uəuləuinbəi 
Aninəəs e1]ep əv) p|o1 
əq 3snul eşep əv) ul!A pəl)elD2osse 
In) suossəq Iİ 
A)unəəs soy pəəv əu) pue]siəpun 
Aəu) əsnsuə o) Sulure.) 
SSƏUƏNHPARP Aylinəəs əəenbəpe 
ƏAIƏ3Ə1 1]snui E)Ep Əu) UNA 
pəleioosse sə|oi Sullluln) suosiəq l 
AMnunəəs 
Ə)eiodiooO o) ÁləƏleIpəuuuu! 
pəliodə1i əq 3snul suones|o!A ËB 
pəusılqeşsə əq 1snui sənied 
patu) 40) sionuoə ə)erudoiddv HE 
4nəəo 3snul 
(sISAyeuE) uoneonnuəpi ?SİM HE 
sue|d Aınunuoə ssəulsnq 
Aed-p.lu) JO uoneniPAq 
SIOnuo? 
qeusəşul Ayred-paru) JO AƏIAƏ1] 
sərəiod "əul şəyəolds Jo 
SUOREOA SnOIAƏ1d 10) u541eəs 
uone3nsəAul puno/3x)oeq 
dnə2o 1snui SulM—o/lo) 
əu) 42ENnyuoə oşul Suəşuə əlöşəq HE 
səniliqisuodsəi UODPONDON 


uoneərdde 
40 uOnpPuULOyUL Əv) O) ssə322e 
Sulure3 o) solid ep ,A/uO əsn 
qeusəlul, o) Asessəəəu syosnuoə 
pue s)uəuuəuinbəi Aininəəs ep 
Əu) pf0) əq 3Snul e]ep Əu] UNA 
pəşeroosse sə|oi Su!||lJin) suosiəq IE 
A)unəəs soy pəəu əv) pue)siəpun 
Aəu) əinsuə o) Sulure.) 
SSƏUƏNHEARP Aylinəəs əəenbəpe 
ƏAlƏ?Ə, 1]snui e]ep Ət) UNA 
pəyerəossep sə|oi Sullluln) suosiəq HE 


Aunəəs 
Ə)e1odiooO o) /ləyprpəuiuil 
pəşuodəz əq 3snul suonP/olA Iİ 
pəusılqessə əq 1snui sənied 
pitu) 40) sionuoə əşeridoaddyv 
sue|d Aınunuoə ssəulsnq 
Ayred-pau) yo uonenieAq 
SIOnuo2 
qeusəşul Aqed-pualu) JO MƏİAƏN 
sərəiod :3u| şəyəolds Jo 
SUORETOA SnO!AƏ1d 10) u541eəs 
uone3nsəAul puno/3)oeq 
dnəəo 1snui SUAOİO) 
Əul5enuo3olu!SuuəluəəioJjəq HE 
səminisuodsəi uons3iJllON 


Suruleu) səs) 


Information Security Policies, Procedures, and Standards 


144 


uonən.nsəp 40 sso| |ej)uəpi523e 

)uəAƏ1id o] pue “üonənnsəp 

40 “Ə1nso|j3sIp “suo!)e1ə]|e 

“ssə523e pəziiou)neun uuo1J 

pə12ə1oid əq 1snui e]ep |euosiəd 

əsodınd 

pəpuətul s) 4o) Aressə?əu se 3uo) 

se Aluo 1dəy pue 4uəldinə 1dəy 

“Əypunəəp əq 3snul eyep |euosiəd 

əsodınd 

pəpuətul əƏu] ul)iA əlqnedusooul 

APA. AUE Ul Əsnsoyəsip 40 

Əsn uuioiJj pəyəəşold əq 3snul eq 

SəDsiə)əbapuə 

uone3iJisse|3 Əv) yo AioluəAu! 

dəəy o) pəunuəpi süosiəd/səloy 

Əuun uonuə1ə1i A4o)ne)s 

əu) puo,əq pəuitx1əi uəəq əAeu 

1eu) pə/o.nsəp əq 1snui sp4oəəv 

əsn pue 3ul4doə pəsuəəilun pue 

pəzuouıneun 1uəAə1d o) əəeyd 

ul Əq 1snui s|ojlluo32 ƏLPAOŞ 
pəşəlisəy //uSiH 


uonən.nsəp 40 ssol |ej)uəpi5232e 

)uəAƏ1id o) pue “üonənnsəp 

40 “əsnsorəsip “suone/ə/e 

“ssə5232e pəziiou)neun uuo1J 

pə12ə1oid əq 1snui e]ep |euosiəd 

əsodind 

pəpuətul s) 40) Aressə?əu se 8uo| 

se Aluo 3dəy pue 4uəlinə 1dəy 

“Əyeuanəəp əq 3snul eyep |euosiəd 

əsodınd 

pəpuətul əƏu] unu, əqqnedusooul 

APA. AUE Ul Əsnsoyəsip O 

Əsn ulioiJ pəşəəşod əq 3snul ele 

SoDsiə)əbacuə 

uone3l1JiSse|3 Əv) JO ÁAioluəAu! 

dəə)y] o) pəijnuəpi suosiəd/səloy 

Əuun uonuə]əi A4o)n)e)s 

əu) puo,əq pəuitx1əi uəəq ƏAPU 

1eu) pə/o.nsəp əq 1snui sp4oəəx 

əsn pue 3Sul4doə pəsuəəllun pue 

pəzuou)neun 1uəAə1d o) əəeyd 

ul Əq 1snui s|o1lluo32 ƏHPAOŞ 
pəşəlusəy 


(pənunuoə) suısıupuəəyy uonə?əşosq e)epq tunutiu!W 


uonən.nsəp 40 ssol |ej)uəpi5232e 

YUƏəAƏLMd o) pue “üönənnsəp 

40 “əsnsorəsip “suone-ə/e 

“ssə523e pəziiou)neun uuo1J 

pə12ə1o1id əq 1snui e]ep |euosiəd 

əsodind 

pəpuəltul sh so) Aressə?əu se 3uo) 

se Aluo 3dəş pue 4uəlinə 1dəy 

“Əyeinəəp əq 3snul eyep |euosiəd 

əsodınd 

pəpuətul əƏu] uA əlqnedusooul 

AEA. Áu ul Ə!inso|5sip o 

Əsn uioiJj pə1231oid əq 3snul eq 

SəDsLə)əbacuə 

UoOnPəLNisseyə Əu) yo AioluəAUu! 

dəəy o) pənnuəpi suosiəd/səloy 

əuın uonuə]əi A4o)n)e)s 

əu) puo,əq pəuleşəs uəəq ƏAPU 

1eu) pə/o.nsəp əq 1snui sp4oəəv 

əsn pue 3Sul4doə pəsuəəllun pue 

pəzuou)neun 1uəAə1d o) əəeyd 

ul Əq 1snui s|ojlluo32 ƏHPAOŞ 
//uO əsn fEuzə)ul 


Siuəuləsinbəl |e3ə1 
uonəun.4 


LI 1q1Ux4 


145 


Information Classification 


siəuupuə 
Aueduıuoə pəzuou)ne 
u3no.su) uonnqınsıp 
oliqnd 40) ə|qe|ieAe ƏPEVV 
olrsnd 


(uəuəunbaəli Aloaein3əl 
A/lensn) ssəulsnq 
Auedusoə 3unənpuoə 
uəuA səə(olduuə Jo 3əsqns 
p Aq Əsn io; pəpuəuul 
q31O131S324 

(əuo )9ə/əs) uoneoijisse|Ə 


ssəulsnq 

Auedusoə 3unənpuoə 
uəuA səə/oldulə 

ile Aq əsn so) pəpuəlul 


451) IVN3431NI 


:Ə)]eq 


dnoi5S 


Aueduuoo əu) o) ə3pulep 
əsneə pinoə so “əƏ8e)ueApe 
əAnnəduuoə s,Aueduloə əu) 

əənpəu “s|enpiAIpui yo 4əpAlıd 
Əu) ƏlE/O1A pinoə “pəsoləsip JI 
TVILN4d14NOƏ2 


eQ — xin 


Sp402ƏN ssə32oiq ssəuisn 


Sp402əN uoneunsiurupy dnoi 


= Cl on * m Q — Cl en *+ In 


spio5əq] əəÁo|duuqg 


uondiləsəq/əulEN 
uoneuuioJu| 


uunipəlN əƏ8e1o1ç 


:əuoud/Áqg 


pƏuuioJƏəd AƏIAƏ1| 


YƏƏUSYHOAA AAIAƏ2] UOHPƏNHSSEİƏ uoneuuoJul 


:uoneziue8iO 


)]ƏƏuS3MHOAA uonoboljisse|9 uoneuuaoJul ə|duueçs Zİ 1iqiux3 


146 Information Security Policies, Procedures, and Standards 


To complete this worksheet, the employee would fill in the information 
requested at the top of the sheet: 


m Organization — The department designated as the information ovvner 

m Groub — The reporting group of the individual performing the infor- 
mation classification process 

m KReuietu performed by/Pbone — "The name and phone number of the 
individual performing the revievv 

m Date — The date of the review 

m /nformation Name/Describtion — An identifier and description of the 
information being revievved 


In the section for Information Name/ Description, it vvill be necessary to enter 
the information type. For example: 


m Employee Records 
Employee performance revievv records 
Timecards 
Employee discipline documents 
Pay records 
Medical records 

m Group Administrative Records 
Monthly status reports 
Yearly status reports 
Yearly business obiectives 

m Business Process Records 
Purchasing contracts 
Quarterly financial reports 
Project management tasks, schedules 
Reference manuals 
Contract negotiations 

m Operations Information 
Business partner information 
Asset allocation 
Trading activities 
Production formulas 
Production cost information 
Customer lists 

m Distribution Records 
Distribution models 
Inventory records 
Parts supplies 


Using the definitions, the person(s) performing the review would place a 
check in the appropriate column — only one check for each item being 
reviewed. This process would allow the user department to identify all of the 


Information Classification 147 


various types of information found in the department and then be able to 
determine under which classification the information probably falls. 


7.11 Authorization for Access 


To establish a clear line of authority, some key concepts will have to be 
established. As discussed above, there are typically three categories of employee 
responsibilities. Depending on the specific information being accessed, an indi- 
vidual may fall into more than one category. For example, an employee with a 
desktop workstation becomes the owner, custodian, and user. To help better 
understand the concepts, the responsibilities of each category are listed below. 


7.11.1 Owners 


Minimally, the information owner is responsible for: 


m Tudging the value of the information resource and assigning the proper 
classification level 

m Periodically revievving the classification level to determine if the status 
should be changed 

m Assessing and defining appropriate controls to assure that information 
created is properly safesuarded from unauthorized access, modification, 
disclosure, and destruction 

m Communicating access and safeguard requirements to the information 
custodian and users 

m Providing access to those individuals with a demonstrated business 
need for access 

m Assessing the risk of loss of the information and assuring that adequate 
safeguards are in place to mitigate the risk to information integrity, 
confidentiality, and availability 

m Monitoring safeguard requirements to ensure that information is being 
adequately protected 

m Assuring a business continuity plan has been implemented and tested 
to protect information availability 


7.11.2 Custodians 


At a minimum, the custodian is responsible for: 


m Providing proper safeguards for processing equipment, information 
storage, backup, and recovery 

m Providing a secure processing environment that can adequately protect 
the integrity, confidentiality, and availability of information 

m Administering access requests to information properly authorized by 
the ovvner 


148 Information Security Policies, Procedures, and Standards 


7.11.3 User 


The user must: 


m Use the information only for the purpose intended 
m Maintain the integrity, confidentiality, and availability of information 
accessed 


Being granted access to information does not imply or confer authority to 
grant other users access to that information. This is true vvhether the infor- 
mation is electronically held, printed, hard copy, manually prepared, copied, 
or transmitted. 


7.12 Summary 


Information classification drives the protection control requirements and this 
allovvs information to be protected to a level commensurate vvith its value to 
the organization. The cost of overprotection is eliminated and exceptions are 
minimized. VVith a policy and methodology, specifications are clear and 
accountability is established. 

There are costs associated vvith implementing a classification system. The 
most identiflable costs include labeling classified information, implementing 
and monitoring controls and safeguards, and proper handling of confidential 
information. 

Information, wherever it is handled or stored, needs to be protected from 
unauthorized access, modification, disclosure, and destruction. All information 
is not created equal. Consequently, segmentation or classification of informa- 
tion into categories is necessary to help identify a framevvork for evaluating 
the relative value of the information. By establishing this relative value, it vvill 
be possible to establish cost-effective controls that vvill preserve the information 
asset for the organization. 


Chapter 8 


Security Awareness Program 


Development of security policies, standards, procedures, and guidelines is 
only the beginning of an effective information security program. A strong 
security architecture will be rendered less effective if there is no process in 
place to make certain that the employees are aware of their rights and 
responsibilities. All to often, security professionals implement the “perfect” 
security program, and then forget to include the personnel into the formula. 
To be as successful as possible, the information security professional must 
find a way to sell this product to the customers. An effective security awareness 
program could be the most cost-effective action management can take to 
protect its critical information assets. 

Implementing an effective security awareness program wil help all 
employees understand why they need to take information security seriously, 
what they will gain from its implementation, and how it will assist them 
in completing their assigned tasks. The process should begin at new 
employee orientation and continue annually for all employees at all levels 
of the organization. 


8.1 Key Goals oí an Information Security Program 


For security professionals there are three key elements for any security 
program: /rzfegrity, confidentiality, and auailability. Management is concerned 
that information reflects the real world and that it can have confidence in the 
information available to it so that management can make informed business 
decisions. One of the goals of an effective security program is to ensure that 
the information of an organization and its information-processing resources 
are properly protected. 

The goal of confidentiality extends beyond just keeping the bad guys out, 
it also ensures that those vvith a business need have access to the resources 


149 


150 Information Security Policies, Procedures, and Standards 


they need to get their job done. Confidentiality ensures that controls and 
reporting mechanisms are in place to detect problems or possible intrusions 
with speed and accuracy. 

In a recent roundtable discussion reported in the April 1999, Imformation 
Security Magazine, information security professionals Terri Curran of the 
Gillette Company, Harry DeMaio of Deloitte & Touche Services LLC, Dan 
Ervvin of the Dovv Chemical Company, and Kathleen Zarsky of Cigna Corpo- 
ration discussed the changing perception of the security professional. These 
four vvell-respected members of the information security profession vvere able 
to present ideas that most of us in the business agree vvith. 

Ms. Zarsky stated that in the past “unless management faces an audit — 
or the company has been embarrassed by breaches in security — it's very 
hard to convince them that security is vvorth the expense.” As most of us have 
seen, management often vievvs security as, at best, a necessary evil. Hovvever, 
with the move to E-commerce, management is looking to information security 
as a business enabler. This concept is beginning to make the rounds in recent 
security conferences around the world. David Lynas of Sheervvood Associates 
conducts conference sessions to train security professionals to turn avvay from 
the traditional role of saying “NOT” and to the more effective process of being 
part of the business. 

An effective information security program must review the business obiec- 
tives and the mission of the organization and ensure that these goals are met. 
Meeting the business obfectives of the organization and understanding the 
customers” needs are vvhat the goal of a security program is all about. An 
awareness program vvill reinforce these goals and will make the information 
security program more acceptable to the employee base. 


8.2 Key Hlements of a Security Program 


The starting point vvith any security program is the implementation of policies, 
standards, procedures, and guidelines. As important as the written word is in 
defining the goals and obiectives of the program and the organization, the 
truth is that most employees vvill not have the time or desire to read these 
important documents. An avvareness program vvill ensure that the messages 
identified as important will get to all of those who need it. 

Having individuals responsible for the implementation of the security 
program is another key element. To be most effective, the enterprise vvill 
need to have leadership at a minimum to tvvo levels. There is a strong 
need to identify a senior-level manager to assume the role of corporate 
information officer (CIO). In a supporting capacity, an information security 
coordinator responsible for the day-to-day implementation of the informa- 
tion security program and reporting to the CIO is the second key player 
in the overall security program. Because a security program is more than 
just directions from the TT organization, each business unit should have its 
ovvn coordinator responsible for the implementation of the program vvithin 
that business unit. 


Security Awareness Program 151 


The ability to classify information assets according to their relative value 
to the organization is the third key element in an information security program. 
Knowing what information an organization has that is sensitive will allow the 
informed implementation of controls and will allow the business units to use 
their limited resources where they will provide the most value. Understanding 
classification levels, employee responsibilities (ovvner, custodian, user), intel- 
lectual property requirements (copyright, trade secret, patent), and privacy 
rights is of critical importance. An effective awareness program will have to 
take this most confusing message to all employees and provide training 
material for all non-employees needing access to such resources. 

The fourth key element is the implementation of the basic security concepts 
Of separation of duties and rotation of assignments. 


Sebaration of duties — No single individual should have complete control 
of a business process or transaction from inception to completion. This 
control concept limits the error, opportunity, and temptation of per- 
sonnel and can best be defined as segregating incompatible functions 
(accounts payable activities with disbursement). The activities of a 
process are split among several people. Mistakes made by one person 
tend to be caught by the next person in the chain, thereby increasing 
information integrity. Unauthorized activities vvill be limited because 
no one person can complete a process vvithout the knovvledge and 
support of another. 

Kotation of assignments — Individuals should periodically alternate var- 
ious essential tasks involving business activities or transactions. There 
are always some assignments that can cause an organization to be at 
risk unless proper controls are in place. To ensure that desk procedures 
are being follovved as vvell as to provide for staff backup on essential 
functions, individuals should be assigned to different tasks at regular 
intervals. 


One of the often-heard concerns against rotation of assignments is that it 
reduces job efficiency. However, it has been proved that an employee”s interest 
declines over time when doing the same job for extended periods. Additionally, 
employees sometimes develop shortcuts when they have been in a job too 
long. By rotating assignments, the organization can compare hovv the task 
was being done and where changes should be made. 

The final element in an overall security program is an employee avvareness 
program. Each of these elements vvill ensure that an organization meets its 
goals and obfectives. The employee security avvareness program vvill ensure 
that the program has a chance to succeed. 


8.3 Security Avvareness Program Goals 


To be successful, a security awareness program must stress how security will 
support the business obiectives of the enterprise. Selling a security program 


152 Information Security Policies, Procedures, and Standards 


requires the identification of business needs and how the security program 
supports those objectives. Employees want to know how to get things accom- 
plished and who to turn to for assistance. A strong awareness program will 
provide those important elements. 

All personnel need to know and understand the management directives 
relating to the protection of information and information-processing resources. 
One of the key objectives of a security awareness program is to ensure that 
all personnel get this message. It must be presented to nevvly hired employees 
as well as to existing employees. The program must also work with the 
purchasing people to ensure that the message of security is presented to 
contract personnel. It is important to understand that contract personnel need 
to have this information, but it must be handled through their contract house. 
Work with purchasing and legal departments to establish the proper process. 

All too often the security program fails because there is little or no follovv- 
up. There is usually a big splash vvith great fanfare to kick off a nevv program. 
Unfortunately, this is vvhere many programs end. Employees have learned 
that if they vvait long enough, the nevv programs vvill die due to lack of interest 
or follow-up. It is very important to keep the message in front of the user 
community and to do this on a regular basis. To assist you in this process, 
there are a number of “days” that can be used in conjunction with your 
avvareness program. 


m May 10 — International Emergency Response Day 
m September 8 — Computer Virus Awareness Day 
m November 350 — International Computer Security Day 


Keeping the message in front of the user community is not enough. The 
message must make the issues of security alive and important to all employees. 
It is important to find vvays to tie the message in vvith the goals and obiectives 
of each department. Every department has different obiectives and different 
security needs. "he avvareness message needs to knovv and understand those 
concerns. We will discuss this in more detail presently. 

Find ways to make the message important to the employees. When dis- 
cussing controls, identify how they help protect the employee. When requiring 
employees to wear identification badges, many security programs tell the 
employees that this has been implemented to meet security objectives. What 
does this really mean? What the employees should be told is that the badges 
ensure that only authorized persons have access to the vvorkplace. By doing 
this, the company is attempting to protect the employees. Find out hovv 
controls support or protect the assets (including the employees) vvill make 
the security program message more acceptable. 

Finally, a security program is meant to reduce losses associated vvith 
intentional or accidental information disclosure, modification, destruction, and 
denial of service. This can be accomplished by raising the consciousness of 
all employees in vvays that protect information and information-processing 
resources. By ensuring that these goals are met, the enterprise vvill be able 
to improve employee efficiency and productivity. 


Security Awareness Program 153 


8.4 Identify Current Training Needs 


To be successful, the awareness program should take into account the needs 
and current levels of training and understanding of the employees and man- 
agement. There are five keys to establishing an effective awareness program. 
These include: 


Assess current level of computer usage. 

Determine what the managers and employees want to learn. 
Examine the level of receptiveness to the security program. 
Map out how to gain acceptance. 

Identify possible allies. 


2000 


To assess the current level of computer usage, it vvill be necessary to ask 
questions of the audience. Although sophisticated vvorkstations may be found 
in employee work areas, their understanding of what these devices can do 
may be very limited. Ask questions about what the jobs are and how the tools 
available are used to support these tasks. It may come as a surprise to find 
the most-sophisticated computer is being used as a glorifted 3270 terminal. 
Be an effective listener. Listen to vvhat the users are saying and scale the 
awareness and training sessions to meet their needs. In the awareness field, 
one size or plan does not fit all. 

Work with the managers and supervisors to understand what their needs 
are and how the program can help them. It will become necessary for you 
to understand the language of the business units and to interpret their needs. 
Once you have an understanding, then you will be able to modify the program 
to meet these special needs. No single awareness program will work for every 
business unit. There must be alterations and a willingness to accept suggestions 
from nonsecurity personal. 

Identify the level of receptiveness to the security program. Find out what 
is accepted and what is meeting with resistance. Examine the areas of 
noncompliance and try to find ways to alter the program if at all possible. 
Do not change fundamental information security precepts just to gain unan- 
imous acceptance; this is an unattainable soal. Make the program meet the 
greater good of the enterprise and then work with pockets of resistance to 
lessen the impact. 

The best way to gain acceptance is to make your employee and manager 
partners in the security process. Never submit a new control or policy to 
management without sitting down with the managers individually and revievv- 
ing the objectives. This will require you to do your homework and to 
understand the business process in each department. It will be important to 
know the peak periods of activity in the department and what the managers” 
concerns are. When meeting with the managers, be sure to listen to their 
concerns and be prepared to ask for their suggestions on how to improve 
the program. Remember: the key here is to partner with your audience. 

Finally, look for possible allies. Find out what managers support the 
objectives of the security program and those who have the respect of their 


154 Information Security Policies, Procedures, and Standards 


peers. This means that it will be necessary to expand the area of support 
beyond physical security and the audit staff. Seek out business managers who 
have a vested interest in seeing this program succeed. Use their support to 
springboard the program to acceptance. 

A key point in this entire process is never to refer to the security 
program or the awareness campaign as “my program.” The enterprise has 
identified the need for security and you and your group are acting as the 
catalysts to move the program forward. When discussing the program with 
employees and managers, it will be beneficial to refer to it as their program 
or our program. Make them feel that they are key stakeholders in this 
process. 

In a presentation used to introduce the security concept to the organization, 
it may be beneficial to say something like: 


Just as steps have been to taken to ensure the safety of the employees 
in the vvorkplace, the organization is now asking that the employees 
vvork to protect the second most important enterprise asset — infor- 
mation. If the organization fails to protect its information from unau- 
thorized access, modification, disclosure, and destruction, then the 
organization faces the prospect of loss of customer confidence, com- 
petitive advantage, and possibly jobs. All employees must accept the 
need and responsibility to protect our property and assets. 


Involve the user community and accept its comments whenever possible. 
Make the information security the users' program. Use what they identify as 
important in the awareness program. By having them involved, then the 
program truly becomes theirs and they are more vvilling to accept and 
internalize the process. 


8.5 Security Awareness Program Development 


Different people do not need the same degree or type of information security 
awareness to do their jobs. An awareness program that distinguishes between 
groups of people, and presents only information that is relevant to that 
particular audience, will have the best results. Segmenting the audiences by 
job function, familiarity with systems, or some other category can improve 
the effectiveness of the security awareness and acceptance program. The 
purpose of segmenting audiences is to give the message the best possible 
chance of success. There are many ways in which to segment the user 
community, some of the more common methods are provided here. 


m Tecvel of Azvareness — Employees may be divided based on their current 
level of awareness of the information security obfectives. One method 
of determining levels of awareness is to conduct a “vvalkabout.” A 
vvalkabout is conducted after normal vvorking hours and looks for 
certain key indicators. Look for fust five key indicators: 


Security Awareness Program 155 


1. Offices locked 
2. Desks and cabinets locked 
3. Workstations secured 
4. Information secured 
5. Recording media (diskettes, tapes, CDs, cassettes, etc.) secured 
m Job category — Personnel may be grouped according to job titles. 
Senior managers (including officers and directors) 
Middle management 
Line supervision 
Employees 
Others 

m Specific job function — Employees and personnel may be grouped 

according to job function. 
Service providers 
Information ovvners 
Users 

m /nformation-brocessing knotoledige — As discussed above, not every 
employee has the same level of knovvledge of hovv computers vvork. 
A security message for technical support personnel may be very dif- 
ferent from that for data entry clerks. Senior management may have a 
very different level of computer skills than the office administrator. 

m 7Tecbnology, system, or abblication used — "To avoid “religious vvars” it 
may be prudent to segment the audience based on the technology 
used, Mac and Tntel-based systems users often have differing views, as 
do MVS users and UNIX users. The message may reach the audience 
faster if the technology used is considered. 


Once the audience has been segmented, it vvill be necessary to establish 
the roles expected of the employees. These roles may include information 
owners, custodians of the data and systems, and general users. For all messages 
it will be necessary to employ the KISS process, that is, Keep It Simple Svveetie. 
Inform the audience, but try to stay avvay from commandments or directives. 
Discuss the goals and obfectives using real-vvorld scenarios. VVhenever possi- 
ble, avoid quoting policies, procedures, standards, or guidelines. 

Policies and procedures are boring and if employees vvant more informa- 
tion, then they can access the documents on the organization intranet. If you 
feel that you must resort to this method, then you have missed the most 
important tenet of avvareness, that is, to identify the business reason. Never 
tell employees that something is being implemented to “be in compliance 
with audit requirements.” This is at best a cop-out and fails to explain in 
business terms why something is needed. 


8.6 Methods Used to Convey the Avvareness Message 


Hovv do people learn and vvhere do people obtain their information? These 
are tvvo very important questions to understand vvhen developing an infor- 


156 Information Security Policies, Procedures, and Standards 


mation security awareness program. Each of these is different. If we were 
implementing a training program, we would be able to select from three basic 
methods of training: 


1. Buy a book and read about the subject. 
2. Watch a video on the subject. 
3. Ask someone to show you how. 


For most employees the third method is best for training. They like the hands- 
on approach and want to have someone there to answer questions. With 
awareness the process is a little different. According to findings reported in 
USA Today, over 90 percent of Americans obtain their news from television 
or radio. To make an awareness program work, it will be necessary to tap 
into that model. 

There are a number of different ways to get the message out to the user 
community. The key is to make the message stimulating to the senses of the 
audience. This can be accomplished by using posters, pictures, and videos. 
Because so many of our employees use the television as their primary source 
for gathering information, it is important to use videos to reinforce the message. 
The use of videos will serve several purposes. 

With the advent of the news magazine format so popular in television 
today, our employees are already conditioned to accept the information 
presented as factual. This allows us to use the media to present them with 
the messages we consider important. Because they accept material presented 
in this format, the use of videos allows us to bring in an informed outsider 
to present the message. Many times our message fails because our audience 
knows the messenger. As a fellow worker, our credibility may be questioned. 
A video provides an expert on the subject. 

There are a number of organizations that offer computer and information 
security videos. You might want to consider having a senior executive video- 
tape a message that can be run at the beginning of the other video. Costs for 
creating a quality in-house video can be prohibitive. A 20-minute video that 
is more than just “talking heads” can run $90,000 to $100,000. 

An effective program will also take advantage of brochures, newsletters, 
or booklets. In all cases the effectiveness of the medium will depend on how 
well it is created and how succinct the message is. One major problem with 
newsletters is finding enough material to complete the pages each time you 
want to go to print. One way to present a quality newsletter is to look for 
vendors to provide such material. The Computer Security Institute offers a 
document titled Frontline. "This newsletter is researched and written every 
quarter by the CSI editorial staff and provides the space for a column written 
by your organization to provide pertinent information for your organization. 
Once the materials are ready, CSI sends out either camera-ready or PDF format 
versions of the newsletter. The customer then is authorized to make unlimited 
copies of the newsletter. 


Security Awareness Program 157 


As we discussed above, many organizations are requiring business units 
to name information protection coordinators. One of the tasks of these 
coordinators is to present awareness sessions for their organizations. An 
effective way of getting a consistent message out is to “train the trainers.” 
Create a security awareness presentation and then bring in the coordinators 
to train them in presenting the corporate message to their user community. 
This will ensure that the message presented meets the needs of each organi- 
zation and that they view the program as theirs. 

It will be necessary to identify those employees will have not attended 
awareness training. By having some form of sign-in or other recording mecha- 
nism, the program will be assured of reaching most of the employees. By having 
the coordinator submit annual reports on the number of employees trained, the 
enterprise will have a degree of comfort in meeting its goals and obiectives. 


8.7 Presentation Key Elements 


Although every organization has its ovvn style and method of training, it might 
help to review some important issues when creating an awareness program. 
One very important item to keep in mind is that the topic of information security 
is very broad. Do not get overvvhelmed vvith the prospect of providing infor- 
mation on every facet of information security in one meeting. The old adage 
of “Hovv do you eat an elephant? One bite at a time” must be remembered. 

Prioritize your message to the employees. Start small and build on the 
program. Remember: you are going to have many opportunities to present 
your messages. Identify vvhere to begin, present the message, reinforce the 
message, and then build to the next obfective. Keep the training sessions as 
brief as possible. It is normally recommended to keep these session to no 
more than 50 minutes. There are a number of reasons for under an hour: 
biology (you can only hold coffee for so long), attention spans, and productive 
vvork needs. Start vvith an attention-grabbing piece and then follovv up vvith 
additional information. 

Tailor the presentations to the vocabulary and skill set of the audience. 
Know who you are talking to and provide them with information they can 
understand. This vvill not be a formal doctoral presentation. The avvareness 
session must take into account the audience and the culture of the organization. 
Understand the needs, knowledge, and jobs of the attendees. Stress the positive 
and business side of security: protecting the assets of the organization. Provide 
the audience vvith a reminder (booklet, brochure, or trinket) of the obiectives 
of the program. 


8.8 Typical Presentation Format 


In any program that hopes to modify behavior, there are the three keys: tell 
them what you are going to say, say it, and then remind them of what you 
said. A typical agenda might look like the follovving. 


158 Information Security Policies, Procedures, and Standards 


Start with an introduction of the topic of what information security is about 
and how it will impact their business units and departments. Follow with a 
video that will reinforce the message and present the audience with an external 
expert supporting the corporate message. Discuss any methods that will be 
employed to monitor compliance to the program and provide them with the 
rationale for the compliance checking. Provide them with time for questions 
and ensure that every question either gets an answer or is recorded and the 
answer provided as soon as possible. Finally, give them some item that will 
reinforce the message. 


8.9 When to Do Awareness 


Any awareness program must be scheduled around the work patterns of the 
audience. Take into account busy periods for the various departments and 
make certain that the sessions do not impact the peak periods. The best times 
for having these sessions is in the morning on Tuesday, Wednesday, and 
Thursday. First thing Monday morning will impact those getting back and 
starting the week's work. Having the session on Friday afternoon will not be 
as productive as you would like. Schedulins anything right after lunch is 
always a worry. The physiological clock of humans is at its lowest productivity 
level right after lunch. If you turn out the lights to show a movie, the snoring 
may drovvn out the video. Also, schedule sessions during off-shift hours. 
Second and third-shift employees should have the opportunity to vievv the 
message during their work hours just as those on the day shift do. 


8.10 The Information Security Message 


The employees need to knovv that information is an important enterprise asset 
and is the property of the organization. All employees have a responsibility 
to ensure that this asset, like all others, must be protected and used to support 
management-approved business activities. To assist them in this process, 
employees must be made aware of the possible threats and what can be done 
to combat those threats. The scope of the program must be identified. Is the 
program dealing only vvith computer-held data, or does it reach to all infor- 
mation vvherever it is resident? Make sure the employees knovv the total scope 
of the program. Enlist their support in protecting this asset. The mission and 
business of the enterprise may depend on it. 


8.11 Information Security Self-Assessment 


Each organization will have to develop a process in which to measure the 
compliance level of the information security program. As part of the awareness 
process, staff should be made avvare of the compliance process. Included for 
you is an example of hovv an organization might evaluate the level of 


Security Awareness Program 159 


information security within a department or throughout the enterprise. See 
Appendix F for examples. 


8.12 Conclusion 


Information security is more than just polices, standards, procedures, and 
guidelines. It is more than audit comments and requirements. It is a cultural 
change for most employees. Before employees can be required to be compliant 
with a security program, they first must become aware of the program. 
Awareness is an ongoing program that employees must have contact with on 
at least an annual basis. 

Information security awareness does not require huge cash outlays. It does 
require time and proper project management. Keep the message in front of 
the employees. Use different methods and means. Bring in outside speakers 
whenever possible and use videos to best advantage. 


Chapter 9 


Why Manage This Process 
as a Proyect? 


Although a project is usually defined as a orze-fime effort that has a definite 
beginning and end and the implementation of security policies can be an 
ongoing effort, managing this process as a project will help keep the imple- 
mentation team focused on the results to be achieved. Applying project 
management practices vvill also help vvith the assessment of those results to 
ensure they meet the needs of the organization. 

Consideration should be given to such questions as: What is included 
vvithin the area of concern or vvhat is the scope? VVhat should be done first? 
How much time will it take? Is there a deadline that will act as a constraint 
on hovv much can be accomplished? Hovv should changing requirements be 
managed? How much will it cost? How relevant are the policies and procedures 
to the environment? Who should create them? How should they be reviewed? 
Hovv should they be communicated? Hovv can opportunities for improvement 
be maximized? Hovv can the potential for resistance by staff be mitigated? 
When should external sources be considered for providing assistance? 

Creating and implementing security policies and procedures begin vvith a 
thorough understanding of why your organization is concerned that these 
policies and procedures exist. Understanding the reasons the effort vvas 
undertaken will help you set goals and obiectives when determining how the 
security needs of your organization vvill be met. Later, the results of your effort 
should be reviewed to ensure that they accomplished what was expected. 


9.1 First Things First — Identify the Sponsor 


A key factor in implementing policies and procedures successfully is to have 
commitment from senior-level management. The person with the means to 


161 


162 Information Security Policies, Procedures, and Standards 


commit resources to this effort should be identified as the project sponsor. 
This sponsor will be the final person responsible for all major implementation 
decisions. The absence of a sponsor of sufficient organizational prominence 
is a major risk to successful implementation of policies and procedures. Work 
completed without this sponsor may be subject to rework if the project team 
proceeds in a direction not supported by management. It is important that 
support be explicitly obvious. Clear management support will help obtain the 
cooperation and contributions needed from individuals who may not be direct 
members of the project team. 

The project manager is the individual who leads the work effort and is 
responsible for the day-to-day planning, management, and control of the 
project. The successful completion of project deliverables on time, within 
budget, and to the specified quality standards is included in the project 
manager's responsibilities. 

The project manager may be recruited from any area concerned with 
security, such as information security or internal auditing. This individual could 
also be recruited from outside the organization. Superior communication, 
organization, and team-building skills are among the traits that this individual 
should possess. 

It is best to have only one profect manager so that the management and 
control of profect activities can be effectively coordinated. Managing the 
implementation of policies and procedures requires contributions and feed- 
back from multiple sources. A project manager fulfills the role of the 
conductor in ensuring that these contributions are vvell integrated vvithin the 
overall profect. 

Ensure that the profect manager possesses a sufficient level of experience 
and skill to manage the challenges that can be encountered when policies 
are being implemented. Be conscious of the tendency tovvard resistance 
among staff when it comes to documenting business processes or practices 
that may be perceived as candidates for remediation. Review any previous 
studies or reports that address existing security policies, procedures, or 
findings. A good place to start is with your internal audit staff or other groups 
that might perform audit or compliance tracking functions. Determine whether 
any constraints might inhibit progress and document all assumptions that 
have been made. Measurable criteria should be established to assess the 
success of the policy and procedure implementation. If there are quality 
obiectives, quantitative requirements, expected benefits, or cost obfectives to 
consider, document them. 

Once the sponsor and project manager have been identified, the project 
manager should talk vvith the sponsor to obtain an understanding of desired 
outcomes. Interviews are also an opportunity to identify other interested 
parties, or profect stakeholders. 

Initiatives to create or revise policies and procedures may be a response 
to any number of stimuli. Legal requirements, especially in publicly traded or 
financial organizations, may need to be addressed. An adverse event that has 
occurred or nearly occurred may prompt the effort. Sometimes the effort is 
begun to guard against a situation that has occurred at another organization. 


Why Manage This Process as a Project? 163 


A change in management can also spur a commitment to implement new or 
updated policies and procedures. Whatever the reason, the reason itself can 
be a good starting point for helping to define the overall objectives of this 
effort. Remember: it is extremely helpful to interview management to gain 
and document an understanding of their expectations. Clear, concise objectives 
that are documented and agreed upon by top-level management are a key 
success factor that should not be overlooked. Strive to obtain explicit confir- 
mation, with a signature if possible, of the major objectives for the project to 
create and implement the policies and procedures you will be producing. 


9.2 Defining the Scope of Work 


Defining the scope of work draws boundaries on what is to be accomplished. 
A scope statement should be developed that clearly defines what is and what 
is not included within the area of work to be completed. For example, your 
approach to developing policies may be very different if the scope addresses 
issues from an enterprise perspective rather than at a more specific depart- 
mental position. Whether you are addressing an enterprise or departmental 
perspective, determine the high-level objectives that the policies and proce- 
dures are supposed to address and relate them to the business objectives of 
the organization. Relating your project to the business objectives of the 
enterprise helps address issues associated with competing demands for limited 
resources. You need to demonstrate that the activities associated with the 
implementation of security policies and procedures provide a positive contri- 
bution to the goals of your organization. 

To help define obiectives, consider the types of information security chal- 
lenges your organization must face. These obfectives, or project requirements, 
lay the foundation for the plan of activities that vvill be developed to address 
those requirements. Careful consideration should be given to defining profect 
requirements, and they should always be documented. Requirements that are 
not documented are subject to ambiguity and misinterpretation. Developing 
a consistent understanding of the scope and requirements is extremely impor- 
tant in ensuring that the outcomes of your effort meet those requirements. If 
you are not sure of your organization requirements, you are not likely to 
develop policies to address those needs. A clear understanding of requirements 
vvill help direct effort tovvard achieving your goals. Clear requirements vvill 
guide your activities and provide a basis for future decisions as you define, 
organize, and implement the policies and procedures that are created. 

Once requirements have been clearly defined, a high-level breakdovvn of 
project components or activities can be developed. This high-level breakdovvn, 
or work breakdovvn structure (WBS; Fxhibit 1), is a deliverable-oriented 
grouping of elements that help organize and define the total scope of the 
project. The WBS may be grouped by type of policy or procedure and should 
also include other supporting elements such as the communications plan. It 
is a good visual aid for identifying the work that the project will undertake. 
Work not identified in the WBS is outside the scope of the project. 


164 Information Security Policies, Procedures, and Standards 


ABC Information Security 
Policies and Procedures Project 


| | 
Poa | | mon aman | communisatons 
Management Iy : Plan 
Policy Policy 


Exhibit 1 High-Level Work Breakdown Structure 


After a high-level grouping of project deliverables has been defined, each 
high-level group should be further subdivided into more manageable compo- 
nents until enough detail is obtained to allovv estimates of time, cost, and 
resource requirements to be assigned to each component. Although the 
sponsor and project manager can identify the high-level groups, the decom- 
position into subcomponents should be completed vvith the participation of 
other team members. See the Section 9.3 for more details. 

Once high-level requirements are defined and agreed upon, a profect kickoff 
meeting (see Exhibit 2) can be held to officially “begin” the profect. This kickoff 
is a special meeting at vvhich all stakeholders, profect participants, and other 
interested parties are introduced to the profect. It is very helpful in terms of 
obtaining cooperation and buy-in if the project sponsor delivers a statement 
that emphasizes the importance of the profect as vvell as key expectations. 

The kickoff should also include an outline of the proposed approach to 
achieving the defined project requirements and should provide an opportunity 
for participants to ask questions of and give feedback to the project team. 


9.3 Time Management 


Time management processes are designed to promote the timely completion 
Of the policies and procedures profect. These processes include identifying the 
various activities required to complete the profect. These activities can then be 
sequenced to identify activity interdependencies. Once interdependencies are 
identified, then estimates can be determined to establish a project schedule. 
The project schedule will provide the basis for controlling the project activities. 

To identify project activities, review the scope, high-level obfectives, and 
constraints of the project. Then identify the appropriate İlovver-level steps and 
tasks to be accomplished. The WBS should be reviewed and adjusted to ensure 
that all necessary tasks are included and that any unnecessary work has been 
removed. A basic profect management tenet is to ensure that the profect is 
controlled so that it includes all the work required and only the work required 
to bring it to successful completion. The profect manager can start this process, 
but other project participants should supplement it with their contributions. 
Brainstorming techniques may be used vvhen decomposing the high-level 
elements of the WBS into its lovver-level components (Exhibit 3). After each 
element has been broken dovvn, revievv each one and gain consensus on the 
validity of its subcomponents. 


Why Manage This Process as a Project? 


Exhibit2 Sample Project Kickoff Meeting Agenda 


165 


Security Policies & Procedures Project 
Date 
Time 
Place 


The purpose of this meeting is to begin the Security Policies and Procedures Project. 
Mİ Invitees: Sponsor, Project Manager, Project Team Members, other stakeholders 


IM Desired Outcomes: 


1. Establish vvorking relationships and lines of communication 


2. Establish and review project scope and obiectives 

3. Review project approach 

4. Establish responsibilities 

5. Identify and document issues to be addressed 

6. Identify next steps 
Agenda Items Who 
IBUOGüGlU0On. aa anauqusasphaayakukayakuycpanqkayakayakapskassusskaysa Project Manager 
Review agenta, uuu as aksaakaasa sya aakaqakqwsaassayaiakayax Project Manager 
Project briefing — the purpose of this project......................... Sponsor 


Project scope and objectives 


2700 ə ə amaya a qaa esa Project Manager 


Project approach, k w səsə səyə əə RƏS aqasakaakayawaksaasqaasakasikawaq Team 


Responsibilities 


Project 
Management 


ABC Information Security 
Policies and Procedures Project 


Information 
Security 
Policy 


Information 
Classification 
Policy 


Communications 
Plan 


Project 
Planning 


Project 
Control 


Administration 


Organization 
Analysis 


— j] 


Organization 
Objectives 


— Í 


Policy 
Documentation 


Organization 
Analysis 


Organization 
Objectives 


Policy 
Documentationi 


Planning and 
Execution 


Training 


Assessment 


Exhibit 3 Sample Work Breakdown Structure Organized by Policy Type 


166 Information Security Policies, Procedures, and Standards 


Each element should be decomposed to a level sufficient to later support 
an estimate of required time, cost, and resources to complete. The WBS is 
intended to organize and define the scope of the project and is not meant to 
demonstrate the sequence of work to be performed. Sequencing is performed 
later, after all the activities have been identified and defined. The sequencing 
activity will support the development of a schedule. 

After decomposition, a list of all project activities to be performed can be 
developed based on the refined WBS. This list should include descriptions to 
ensure that the individuals assigned to complete the work understand what 
is to be delivered. After all activities are identified, they should be analyzed 
to identify interdependencies. Activities must be sequenced appropriately to 
develop a realistic schedule. Be sure to include activities that are administrative 
in nature, such as planning and conducting meetings and completing status 
reports. These activities may be grouped together, but careful consideration 
to this area will help prevent an overly optimistic estimate. Exhibit 4 displays 
a sample of a decomposed VVBS. 

Estimates for time to complete or effort can be developed after all activities 
and their interdependencies have been identifted. Effort estimates vvill be 
influenced by the project manager”s prior experience, ability to make fudg- 
ments based on limited information, and knowledge of the subject matter. 
The estimating process should include the project team members; estimates 
developed by obtaining consensus from the team vvill probably be more 
accurate. Producing and revievving estimates with the participation of the 
people vvho vvill do the vvork vvill also support team building and vvill build 
confidence for the estimates produced. 

A bottom-up estimate for the overall project can be produced by allocating 
effort estimates to each İovvest-level component and aggregating them up to 
obtain an initial estimate for the total project. Effort estimates for each WBS 
component together with the identified activities to be performed and their 
interdependencies will allow the project manager to develop the project 
schedule. Be sure to record all assumptions and issues identified. 

Before beginning the estimating process, review the follovving questions: 


m Who should be involved? 

m What units of measure should be used: hours, days, weeks? The unit 
determined should be appropriate to the level of detail used to define 
the activities and ideally should be consistent across the entire project. 

m Hovv wil contingencies be applied? 


Two possible approaches to use are consensus-based and vveighted-average 
estimating. A consensus-based estimate is an estimate that is developed by 
the people vvho are involved in an activity. The estimates produced vvill vary 
based on the differing vievvpoints and experiences of the people on the team. 
Participants are asked to produce estimates and then to explain the reasoning 
behind the estimates. The estimates can be discussed in reference to these 
explanations and, eventually, agreement can be reached for a single estimate. 


Why Manage This Process as a Project? 167 


Exhibit4 Sample Decomposed WBS 


1. 


Profect Planning, Scheduling, and Budgeting 


1.1 Project Kickoff 

1.2 Establish Project Sponsor 

1.3 Identify Benefits and Costs 

1.4 Develop Business Case 

1.5 Establish Obiectives 

1.6 Define Project Scope 

1.7 Define Project Approach 

1.8 Define Profect Activities 

1.9 Develop Proyect Schedule 

1.10 Prepare Project Budget 

1.11 Determine Project Staffing Requirements 
1.12 Establish Roles and Responsibilities 

113 Conduct Project Status Assessment 
Training 

2.1 Determine Training Requirements 

2.2 Identify and Acquire Tools 

2.3 Develop Training Plan 

2.44 HManage Training Activities 

255 Establish Budget Status Reporting Methods 
2.6 EFEstablish Schedule Status Reporting Methods 
2.7 Conduct Project Status Assessment 


Project Control 


3.1 
3.2 
3.3 
3.4 
3.5 


Monitor Project Progress 

Identify and Resolve Issues 
Manage Exception Situations 
Review and Revise Project Plan 
Conduct Project Status Assessment 


Project Quality Procedures 


4.1 
4.2 
4.3 
4.4 
4.5 
4.6 
4.7 
4.8 
4.9 
4.10 


Review Enterprise Documentation Standards 
Define Quality Objectives 

Define Product Quality Control Reviews 

Define Documentation Standards for Policies 
Define Documentation Standards for Procedures 
Develop Quality Plan 

Define Policy/Procedure Review Strategies 
Define Documentation Management Plan 
Identify/Define Support Tools and Procedures 
Conduct Project Status Assessment 


Develop Policies 


5.1 


Document Definitions 


(continued) 


168 Information Security Policies, Procedures, and Standards 


Exhibit4 Sample Decomposed WBS (continued) 


5.2 Identify Required Policies 

5.3 Identify Procedures, Standards Required 
5.4 Determine Formatting 

55 Outline Content 

5.6 Develop and Define Policies 

5.7 Develop and Define Standards 

5.8 Develop and Define Guidelines 

5.9 Develop and Define Procedures 

5.10 Conduct Project Status Assessment 


6. Communications Planning 
6.1 Identify Audiences 
6.2 Determine Distribution Frequency Requirements 
6.3 Determine Information Distribution Mechanisms 
6.4 Develop Communications Plan 
6.5 Define Performance Reporting Requirements 
6.6 Conduct Project Status Assessment 


Z: Project Closure 
Z.1 Complete Final Evaluations 
7.2 İnitiate Maintenance Process 


7.33 Close Outstanding Project Work 
7.44 (CÇollect Proyect Feedback 
755 Compile Project Closure Documents 


To develop a vveighted-average estimate, have participants estimate each 
component of the activities list giving best-case, vvorst-case, and most likely 
estimates. This task should be completed individually; then a workshop can 
be conducted to consolidate and review the initial estimates. A determination 
Of hovv the vveighted average is calculated should be determined by the profect 
manager or by team consensus. The vveighted-average table shown in Exhibit 
5 and its calculations are illustrative only and are not intended to represent 
the actual experience of any specific project. 

The results should be revievved vvith special attention paid to large varia- 
tions between the best, vvorst, and most likely estimates given for the same 
activity. Reasons for the large variations should be determined and reconciled. 
Try to gain agreement among the estimators. The intention is not to arrive at 
the same value for the best, vvorst, and most likely cases, but to gain agreement 
on vvhat the best, vvorst, and most likely cases are. 

Once the estimates have been completed, they should be converted into 
practical estimates by allovving for nonproductive time such as sickness and 
vacation. This may be involve the application of a standard percentage value 
that is used to increase effort estimates. Be careful to avoid double-counting 
these items and inadvertently inflating the estimates. 


169 


Why Manage This Process as a Project? 


`(0g'0 x AM + (SS'0 x Ə1W) + (SI'0 x Og) :eInuitoj Ə8e1əƏAe-pə)uSIƏAA 


pəisse|33i 
40 pəuisseyəəp əq o) UOHEOLİsSEL? 
L€ 09 oz OL uonmeuuoJui! 3ulAnuəpi uonmeuuioJu| 
uoneuuoJu! UOHEOLİssEL? 
əx 09 oz q ienuəpiuoə Sululuiuə]əq UOHEULOVUİ 
UOHEOLİsSEL? 
ÇI dc 0L rÁ Aorqod əv) döləAəqi UOHEULOVUİ 
UOHEOLİssEL? 
Z sı sS L tue9Ə] əv) usilqelsiı uoneuloyul 
(pəpuno,) Quəələd gç € )üSləma) Guəoləd sç = şüSləəA) Quəədəd qı € şüSləa) uuə]l /uoSəşe? 


ƏSPHƏAV pə)uƏləAA s/ep ul “əsp? 3S404A S/Ep ul “ƏsE? //ƏYT 3SOVÇ s/ep ul “əsp? 3səg 


suornpinəle? əSes3əAV-pə]u8iəAA yo əlqe[ əşqdures € şiqluxq 


170 Information Security Policies, Procedures, and Standards 


Estimates can be developed using both consensus and vveighted-average 
techniques vvith the results compared to develop a single estimate. As the 
profect progresses, estimates may be revised based on the actual performance 
to date and due to unplanned events such as scope changes, staff changes, 
and nevvly identifted activities. 

The VVBS and activities list can be developed simultaneously and may be 
documented as a spreadsheet or used as input to an automated scheduling 
tool, An automated scheduling tool vvill allovv the profect manager to complete 
“vvhat-if” scenarios such as when the work should be started if an arbitrary 
deadline is imposed on the profect and hovv the schedule vvill be impacted 
if project resources are limited or expanded. The project schedule, or timeline, 
vvill serve as a basis for tracking progress against the plan. 


9.4 Cost Management 


The VVBS and sequenced activities list developed during the beginning stages 
Of the profect are used to support the development of a cost estimate. A more- 
detailed WBS and activities list will support a more accurate estimate, but the 
level of detail required depends on the required degree of accuracy and the 
project manager”s estimating experience. Keep in mind that a highly detailed 
WBS can be used to demonstrate the magnitude of the work involved and 
vvill provide support for the cost estimate. Each item on the activities list 
should include a labor and materials component. The cost of materials can 
often be overlooked vvhen considering activities that appear to be labor 
intensive. For example, an activity identified as “training” may be estimated 
at 20 hours x $60/hour. The $1200 estimate vvill be too lovv if a graphics 
software package must be purchased to design the training material, printing 
and binding services are required, or organizational expectations are that 
participants vvill be served food and beverages during training. 


9.5 Planning for Quality 


Planning for quality requires that processes be in place to ensure that the 
policies and procedures created satisfy the needs for which they were devel- 
oped. These processes include activities such as inspection reviews. These 
reviews are conducted to critique the policies or procedures to help ensure 
that management expectations and requirements have been met. Reviews also 
provide an opportunity to reduce the likelihood of errors, omissions, or 
misunderstandings. Results are documented and corrective action taken if 
necessary. Documentation standards, if any, should be reviewed to ensure 
that the policies and procedures developed are in compliance. 

Review participants should include project team members as well as peers 
from other organization teams who have not been closely associated with the 
project. Management generally should not be included at preliminary reviews to 
ensure that the focus remains on the examination and tuning of the policies or 
procedures developed and not on the performance or status of the project itself. 


Why Manage This Process as a Project? 171 


9.6 Managing Human Resources 


The primary objective of human resource management is to make the most 
effective use of the people involved with the project. Activities included are 
planning the organizational structure of the project, acquiring staff, and devel- 
oping team members. The resources necessary to carry out the project and 
to ensure its success should be clearly defined and documented in terms of 
their roles and responsibilities. Reporting relationships can also be documented 
if necessary. All people in the project should understand their responsibilities 
and should have the time available to carry out those responsibilities. 

When determining staffing requirements, the skills required for the activities 
to be performed and their associated time frames should be defined. The WBS 
and activities list should be used during this task. Organizational policies and 
a description of the existing available resource pool should also be reviewed. 
If it is determined that resources will be acquired from outside the organization, 
a plan for how these resources will be brought onto and removed from the 
project may need to be developed. Paying attention to how team members 
will be transitioned onto and off of a project can help contain costs by 
eliminating the tendency to create work to fill the time between assignments. 

Team development includes activities that support the ability of team 
members to increase their individual contributions to the project and enhance 
the ability of the team to function effectively. The capabilities and skills of 
the project team should be assessed to help establish a plan to train members 
in any areas of deficiency. The types of training required should be docu- 
mented so that a training plan can be developed. This training is specific to 
the project team and is in addition to the awareness training plan that should 
be developed to introduce the new policies and procedures to the enterprise. 
The time required to develop team skills should be included in the project 
schedule. Include a reference to the location of the training session plan. 


9.7 Creating a Communications Plan 


Managing security communications effectively ensures that timely and appro- 
priate information is generated, updated, and disseminated to all who need 
to know. Lack of employee awareness will defeat the intentions of even the 
most comprehensive policies and procedures. The communications process 
ensures that critical connections are established amons all individuals of an 
organization. These communication links are absolutely necessary for the 
successful implementation of security policies and procedures. Creating a 
communications plan will provide a framework from which to manage the 
communications process. 

The structure of an organization will have a major effect on communications 
requirements. The information delivery mechanisms for an organization that 
houses staff in one central location may be very different from one that has 
employees distributed over several remote locations. Take time to determine 
the information needs for your organization. Consider vvho needs vvhat infor- 
mation, when and how often they should receive it, and how it will be delivered 


172 Information Security Policies, Procedures, and Standards 


to them. An analysis of the policies and procedures and the circumstances that 
they address will help determine how significant they are to the organization 
and how often they should be delivered. Analyzing the circumstances that the 
policies and procedures address will also help identify the intended audience. 

Exhibit 6 contains recommended types of communications that can be 
established during the development of policies and procedures. The needs of 
the project and the expectations of the project sponsor and stakeholders will 
influence how adjustments should be made. 

Exhibit 7 contains recommended types of communications to establish once 
policies and procedures have been approved and are ready to be disseminated 
to the organization. Responsibilities for delivery may be delegated, however, 
the sponsor should explicitly endorse all communications. The delivery mech- 


Exhibit 6 Sample Communications Plan (during Development of Planning 
and Preparation) 


Communication Delivery 
Type Audience Frequency Responsibility Mechanism 
Project kickoff* Project At project Project Meeting 
sponsor start manager 
Stakeholders 
Project team 
Overall status Project Monthly Project Document 
report* sponsor manager attachment via 
Stakeholders e-mail 
Project team 
Project review Project Quarterly Project Meeting 
milestone sponsor manager 
Assessment* 
Project team Project team Weekly Project Meeting 
meeting* manager 
Project All affected Monthly Team Newsletter 
newsletter (interested) members document via 
parties general mail 
Task status Project team Weekly Team Update 
Project members commitment 
manager calendar 
Issue Project As needed AİlylI İssue 
identification manager management 
process 
History/inquiries AİI As needed Profect Electronic 
about project manager project 
notebook 
accessible via 
Web page 
Problem Project As needed Aİlyl Problem 
identification: manager management 
internal process 


x 


Should be required. 


Why Manage This Process as a Project? 173 


Exhibit 7 Sample Communications Plan (after Deployment) 


Communication Delivery 
Type Audience Frequency Responsibility Mechanism 
New or revised All As released, Sponsor Broadcast mail 
policy periodically Broadcast e-mail 
announcement” thereafter Broadcast voice- 
mail 
Nevv or revised All affected As released Sponsor Training 
procedure” (interested) 
parties 
Complete policy All Yearly and at Sponsor Manual 
manual* newemployee Intranet Web 
orientation page 
General security All Quarterly İnformation Broadcast mail 
awareness security Broadcast e-mail 
team Intranet Web 
page 
Posters 
Awareness All Semiannually İnformation Departmental 
newsletter or quarterly security meetings 
team Broadcast mail 
Employeesecurity All Yearly or İnformation Promotional 
awareness day semiannually security items 
team Employee 
contests 
Topic discussions 
and 


demonstrations 


* Required. 


anisms or frequencies should be revised to meet the needs of the organization 
or the urgency of the situations the policies were was designed to address. 
For example, a new policy that states that all company communications are 
subject to spontaneous monitoring may require more frequent delivery in a 
large organization with a high turnover rate than in an organization with a 
workforce that is relatively stable. 


9.8 Summary 


Managing the development of security policies and procedures as a project 
involves the application of a variety of skills, tools, experiences, and tech- 
niques. Project management processes help guide project activities to meet 
stakeholder needs and expectations. A primary objective of project manage- 
ment is to manage resources efficiently and effectively to deliver products on 
time and within budget while attaining a given level of quality. The intent of 
this chapter was to introduce a few key project management concepts that 
should be readily adaptable to a policies and procedures development project. 


Chapter 10 


Information Technology: 
Code of Practice for 
Information Security 
Management 


The policies in the following sections are examples of what might be expected 
in each of the ten major areas of the ISO 17799. These are only examples; 
they will require edits that will make these examples your own. 

When you review the sections, you will notice that there are nearly 700 
suggestions on things to have and to include. Select what is needed and keep 
the rest for reference. Remember that policies, standards, and procedures are 
vital and active. They will need to be reviewed on a regular basis to see if 
they are still appropriate (Exhibit 1). 


10.1 Scope 


This standard gives recommendations for information security management 
for the use by those who are responsible for initiating, implementing, or 
maintaining security in their organization. 7?is is g non-action section. 


10.2 Terms and Definitions 


This section defines: 


m Information security 


175 


176 Information Security Policies, Procedures, and Standards 
Information Security Policy 
Organization Access 
Security Control 
Asset : 0 nəti 
Classification and Maintenance 
Personnel Business 
Security Continuity 
Physical and 
Environmental Compliance 
Security 
Communications 
and Operations 
Management 
Exhibit 1 ISO 17799 Structure 
m Confidentiality 
m Integrity 
m Availability 
m Risk assessment 
m Risk management 
10.3 Information Security Policy 


Obifective: Company management must establish a clear direction and support 
for an enterprisevvide information security program (Exhibit 2). 


Exhibit 2 Information Security Policy 


Policy 

İnformation is a company asset and is the property of the Company. The Company 
information includes information that is electronically generated, printed, filmed, 
typed, stored, or verbally communicated. Information must be protected according 
to its sensitivity, criticality, and value, regardless of the media on which it is stored, the 
manual or automated systems that process it, or the methods by vvhich it is distributed. 


Provisions 

To ensure that business obiectives and customer confidence are maintained, all 
employees have a responsibility to protect information from unauthorized access, 
modification, disclosure, or destruction, vvhether accidental or intentional. 


Information Technology: Code of Practice for Information Security Management 177 


Exhibit 2 Information Security Policy (continued) 


Responsibilities 

1. Senior management and the officers of the Company are required to employ 
internal controls designed to safeguard company assets, including business 
information. It is a management obligation to ensure that all employees 
understand and comply with the Company security policies and standards as 
well as all applicable laws and regulations. 

2. Employee responsibilities for protecting the Company information are detailed 
in the Information Classification policy. 


Compliance 

1. Company management has the responsibility to manage corporate information, 
personnel, and physical property relevant to business operations, as well as the 
right to monitor the actual utilization of all corporate assets. 

2. Employees who fail to comply with the policies will be considered to be in 
violation of the Company Employee Standards of Conduct and will be subject 
to appropriate corrective action. 


10.44 Organization Security 


Objectiue: A management forum must be established to sponsor and champion 
an enterprisewide information security program. This group of senior execu- 
tives will provide the direction, leadership, and resources to support such a 
program (Exhibit 3). 


Exhibit 3 Information Security Infrastructure 


Policy 

A Management Steering Committee (MST) has been established to establish and 
approve policies supporting the Information Security Policy, assign security roles, 
and coordinate the implementation of security across the organization. 


Provisions 

Fach Vice President shall appoint an employee vvho vvill administer an information 
protection program that appropriately classifies and protects corporate information 
under the Vice President's control and implement a program to ensure that all 
employees are avvare of the importance of information and methods for its 
protection. 


Key Terms 

Security forum, security responsibilities, job descriptions; third-party access, 
outsourcing 

Responsibilities 

1. Revievv and approve information security-related policies. 

2. Publish an Information Security Mission Statement. 


(continued) 


178 Information Security Policies, Procedures, and Standards 


Exhibit 3 Information Security Infrastructure (continued) 


3. Establish job descriptions for at least the following: 
a. Information Security Officer 
b. Information Security Administrator 
c. Organization Information Security Coordinator 
4. Provide adequate funding and support for the information security program. 
5. Review annual “State of Information Security” Report published by ISO each 
January. 


Compliance 
The Company MST must review security-related incident reports to ensure that 
appropriate corrective action is implemented. 


10.5 Asset Classification and Control 


Objectiue: A consistent process to classify and protect enterprise information 
assets must be established. This policy must include a discussion on the 
responsibility of management to protect the assets of the organization (Exhibit 4). 


Exhibit 4 Information Classification Policy 


General 

Information is a corporate asset and is the property of the Company. This is true 
of all business information vvithin the Company, regardless of hovv it is created, 
distributed, or stored and vvhether it is typed, handvvritten, printed, computer- 
generated, or spoken. 


The Company management is responsible for ensuring that all employees 
understand and adhere to this policy. Management is also responsible for noting 
variances from established information protection practices and for initiating 
corrective action. Employees found to be in violation of this policy are subject to 
disciplinary action as described in the Employee Standards of Conduct. 


Key Terms 
Accountability, inventory of assets; information labeling 


İnformation Protection 

İnformation must be protected according to its sensitivity, criticality, and value, 
regardless of the media on vvhich it is stored, the manual or automated systems 
that process it, or the methods by which it is distributed. 


Employees are responsible for protecting corporate information from unauthorized 

access, modification, destruction, or disclosure, vvhether accidental or intentional. 

To facilitate the protection of corporate information, employee responsibilities have 

been established at three levels: Ovvner, Custodian, and User. 

M Owner: Company management of the organizational unit where the information 
is created, or management of the organizational unit that is the primary user of 
the information. Ovvners are responsible to: 


Information Technology: Code of Practice for Information Security Management 179 


Exhibit4 Information Classification Policy (continued) 


1. Identify the classification level of all corporate information within their 
organizational unit; 

2. Define appropriate safeguards to ensure the confidentiality, integrity, and 
availability of the information resource; 

3. Monitor safeguards to ensure they are properly implemented; 

Authorize access to those who have a business need for the information; and 
5. Remove access from those who no longer have a business need for the 

information. 

M Custodian: Employees designated by the owner to be responsible for 
maintaining the safeguards established by the owner. 

M User: Employees authorized by the owner to access information and use the 
safeguards established by the owner. 


m 


To ensure the proper protection of corporate information, the ovvner shall use a 

formal revievv process to classify information into one of the follovving classifications: 

M Public: Information, that has been made available for public distribution through 
authorized company channels. 

M Confidential: Information that, if disclosed, could violate the privacy of 
individuals, reduce the company”s competitive advantage, or could cause 
significant damage to the Company. 

M Internal Use: Information that is intended for use by all employees when 
conducting company business. Most information used in the Company vvould 
be classified as internal use. 


10.6 Personnel Security 


Obiective: Policies, standards. and procedures must be established to address 
the adequate screening of potential candidates for employment (Exhibit 5). 
Additional controls must be implemented for those individuals working in 
areas vvith access to sensitive or competitive-advantage information. 


Exhibit 5 Personnel Security Policy 


Policy 

İndividuals with access to Company information assets are expected to protect 
those assets. Security responsibilities are addressed during employee recruitment 
and activities are monitored throughout employment. 


Provisions 

Potential employees are to be adequately screened, especially for sensitive jobs. 
All employees and third-party users of Company information are subject to the 
contents of this policy. 


Key Terms 
Confidentiality agreements, terms and conditions of employment, security 
incidents, disciplinary process 

(continued) 


180 Information Security Policies, Procedures, and Standards 


Exhibit 5 Personnel Security Policy (continued) 


Responsibilities 

1. Senior management and the officers of the Company are required to employ 
internal controls designed to safeguard company assets, including business 
information. 

2. It is a management obligation to ensure that all employees have clear and 
concise job descriptions and that all qualifications are properly verified. 

3. Employees and third-party users of Company information are required to read 
and sign a Confidentiality Agreement. 


Compliance 

1. Company management has the responsibility to document conditions required 
to obtain and maintain employment, as vvell as the right to monitor personnel 
activities. 

2. Employees vvho fail to comply vvith the terms of the Confidentiality Agreement 
or vvho falsified resume (curriculum vitae) information are subject to appropriate 
disciplinary actions. 


10.7 Physical and Environmental Security 


Obiective: It is a management responsibility to establish a safe and secure 
vvorking environment (Exhibit 6). Access to enterprise locations must be 
restricted to those persons vvith a business need. Levels of protection must 
be commensurate with the value of the asset and vulnerability to identified 
risks. 


Exhibit 6 General Security 


Policy 
İt is the responsibility of Company management to provide a safe and secure 
vvorkplace for all employees. 


Provisions 

1. Company offices vvill be protected from unauthorized access. 

2. Areas vvithin buildings, vvhich house sensitive or high-risk equipment, vvill be 
protected against fire, vvater, and other hazards. 

3. Devices that are critical to the operation of company business processes vvill be 
protected against povver failure. 


Key Terms 

Security perimeter, entry controls, cabling security, secure disposal of equipment, 

clear desk policy 

Responsibilities 

1. Senior management and the officers of the Company are required to maintain 
accurate records and to employ internal controls designed to safeguard 
company assets and property against unauthorized use or disposition. 


Information Technology: Code of Practice for Information Security Management 181 


Exhibit 6 General Security (continued) 


2. The assets of the Company include but are not limited to physical property, 
intellectual property, patents, trade secrets, copyrights, and trademarks. 

3. Additionally, it is the responsibility of line management to ensure that staff is 
avvare of, and fully complies vvith, Company security guidelines and all relevant 
lavvs and regulations. 


Compliance 

1. Management is responsible for conducting periodic revievvs and audits to 
ensure the compliance of all policies, procedures, practices, standards, and 
guidelines. 

2. Employees who fail to comply with the policies will be treated as being in 
violation of the Employee Standards of Conduct and will be subject to 
appropriate corrective action. 


10.8 (Communications and Operations Management 


Obfective: Employee responsibilities and procedures for the management and 
operation of all information-processing facilities and platforms must be estab- 
lished (Exhibit 7). This includes the implementation of effective operating 
instructions and incident response procedures. 


Exhibit 7 Operational Change Control 


Policy 

AlI changes to the information processing system, facilities, production libraries, 
hardvvare, softvvare, and applications must be controlled. Company management 
has implemented a formal Change Control Process for all platforms and systems. 


Standards 

1. The Changes Control Review Team (CCRT) prior to implementation must review all 
changes requests. For emergency changes, see Emergency Change Control Process. 

2. CCRT revievv meeting vvill be held on the VVednesday of each vveek. 

3. Approved requests will be scheduled within eight working days. 


Responsibilities 

1. Change Requestor: 
a. Complete all documentation and submit to CCRT for revievv, 
b. Complete “back out” procedure prior to scheduled implementation date, and 
c. Commuhnicate details of change to all relevant persons. 

2. CCRT 
a. Revievv all Requestor packages, 

Schedule formal reviews for next CCRT weekly session, 

Assess potential impact of change, 

Schedule approved changes, and 

Assess actual impact of change. 


o m o 


(continued) 


182 Information Security Policies, Procedures, and Standards 


Exhibit 7 Operational Change Control (continued) 


Compliance 
CCRT will maintain a log of all changes and report to Management Steering Team 
any deviations from this policy. 


10.9 Access Control Policy 


Objectiue: Business requirements for access control must be implemented 
(Exhibit 8). Access control rules and rights for each user or group of users 
must be clearly stated. Included in this section is a determination on estab- 
lishing access rules based on a policy of “access must be generally forbidden 
unless expressly permitted” rather than the weaker rule that “information assets 
are generally open unless expressly closed.” 


Exhibit 8 Access Control Requirements 


Policy 
Access to all enterprise information assets must be for business- or mission-related 
purposes only. 


Provisions 

Access control rules and rights for the Owner of the information asset must 
establish each individual user or group of users (refer to Information Classification 
Policy for Owner definition). 


Key Terms 

Segregation of duties; separation of duties; rotation of assignments; capacity 
planning; malicious software; operator logs; network management; disposal of 
media; security of e-mail and information exchange 


Responsibilities 

1. MST is responsible for publishing access criteria. 

2. Information Owners are responsible for approving business-related access to 
information assets under their control. 


3. Individuals granted access must use the information asset in accordance with 
the Ovvner5 specifications. 
Compliance 


1. İIndividuals who exceed or attempt to exceed approved authority are subject to 
having access revoked. 

2. Repeat violations of this policy can lead to disciplinary actions as described in 
the Employee Standards of Conduct. 


Information Technology: Code of Practice for Information Security Management 183 


10.10 Systems Development and Maintenance 


Objectiue: "Yhe business processes affected by a new application or system or 
an enhancement to an existing application or system must be reviewed to 
ensure that adequate controls are in place to ensure the continued availability 
of the business process (Exhibit 9). Controls to ensure the integrity of the 
output must be implemented. 


Exhibit9 Application Development Policy 


Policy 

A standard application development methodology is to be used when developing 
new or enhancing existing business applications. Appropriate controls and audit 
trails or activity logs must be designed into the application. These controls include 
but are not limited to the validation of input, internal processing, output 
preparation, and transmission of data where applicable. 


Key Terms 
Data validation; checks and balances; message authentication; output validation; 
non-repudiation services; audit logs 


General Guidelines 

1. Separate development and production environments and data have been 
established. 

Security is an integral part of application development. 

Test data is not to contain confidential information. 

Use a secured language (e.g., Java rather than C, Tainted Perl rather than Perl). 
All major new systems must be submitted to the Change Control Review Team 
for review and approval prior to production. 


403. 


10.11 Business Continuity Planning 


Obfective: Implement controls and procedures that counteract interruptions to 
business activities and to protect critical business processes from the effects 
of major failures or disasters (Exhibit 10). 


Exhibit 10 Business Continuity Planning 


The business continuity plan (BCP) is a management-type control to ensure that 
critical business functions can be performed after a disruption to normal business 
operations. The scope of the BCP includes activities that should be performed 
before, during, and after such a disruption to business. But vvhat does this have to 
do with information security? Many critical business functions are dependent on 
the availability of information assets. Each organization IS team should coordinate 
the development of a BCP that identifies the organizations critical business 
functions and the information required by those functions. Before vvriting the plan, 
a Business Impact Analysis should be done. 


(continued) 


184 Information Security Policies, Procedures, and Standards 


Exhibit 10 Business Continuity Planning (continued) 


Key Terms 
Disaster recovery plan, emergency response plans, business impact analysis, plan 
exercises, hot site, cold site, recovery teams 


Performing a Business Impact Analysis 

The purpose of a business impact analysis (BIA) is to determine the effect on the 
organization of loss of critical business functions. The critical business functions 
directly support the primary goals of the organization and enable the fulfillment of 
its value-added role. 


Hovv to (see Information Classification VVorksheet, Chapter 8): 

1. Identify the critical business functions of the organization. 

2. Establish the priority of each critical business function. 

3. Determine hovv long the organization can do vvithout each critical business 
function. 

4. Identify the resources, especially information resources, required to support 
the critical business functions. 

5. Estimate the tangible and intangible impacts on the organization of loss of each 
critical business function. 


You may notice that the business impact analysis is similar to the information risk 
assessment. The main difference is that a threat-vulnerability analysis is not done 
here. 


10.12 Compliance 


Obfective: Policies, standards, and procedures must be established to ensure 
that the enterprise and its employees do not breach any criminal and civil 
law, statutory, regulatory, or contractual obligations (Exhibit 11). 


Exhibit 11 Softvvare Code of Ethics 


Key Terms 
Copyright, intellectual property; privacy; regulations; evidence; compliance 
checking; audit 


Policy 

Unauthorized duplication of copyrighted computer software violates the law and 

is contrary to corporate standards of conduct. The Company prohibits such copying 

and recognizes the following principles as a basis for preventing its occurrence: 

M The Company will neither commit nor tolerate the making or use of 
unauthorized software copies under any circumstances. 

M The Company will provide legitimately acquired software to meet all legitimate 
software needs in a timely fashion and in sufficient quantities. 

IB All employees shall comply with all license or purchase terms regulating the use 
of any software acquired or used. 


Information Technology: Code of Practice for Information Security Management 185 


Exhibit 11 Software Code of Ethics (continued) 


M The Company will implement and enforce strong internal controls to prevent 
the making or use of unauthorized software copies, including effective measures 
to verify compliance with these standards. 


Chapter 11 


Review 


In Chapter 1 we discussed the role of the information protection professional, 
which has changed over the past 25 years and will change again and again. 
Implementing controls to be in compliance with audit requirements is not the 
way in which a program such as this can be run. There are limited resources 
available for controls. To be effective, information owners and users must 
accept the controls. To meet this end, it is necessary for information protection 
professionals to establish partnerships with their constituency. Work with your 
owners and users to find an appropriate level of controls. Understand the 
needs of the business or the mission of your organization. Make certain that 
information protection supports those goals and objectives. 

In Chapter 2 we discussed the writing mechanics and concepts to be used 
to get the message out to the reader. Included in this discussion were: 


Attention span 

Keeping the topic up-front 

Amount of time before we lose the reader 
Writing concepts 

Identifying the objective 

Knowing the audience 

Finding a hook 

Knowing the subject 

Asking for what is needed from the reader 
Keeping sentences clear and precise 
Using established forms of documents 
Using an active voice 

Reading other policies 

Using a conversational style 

Topic sentence and thesis statements 
Writing don't's 


187 


188 Information Security Policies, Procedures, and Standards 


When you need to write policies, standards, and procedures, you will have 
an overwhelming desire to start writing. But take the time to determine what 
needs to be done and how you will do it. Do your research. There are no 
new policies. Whatever you need to write about, you should be able to find 
an example that can be used to guide you along in your development. Try 
to avoid the temptation of taking an existing policy and just changing the 
names. It might work, but the odds that this kind of quick fix will meet the 
specific business objectives of your organization are very small. 

In Chapter 3 we discussed that the policy is the cornerstone of the information 
security architecture of an organization; that the policy is important to establish 
both internally and externally the position of an organization on a particular topic. 

We then looked at what a policy is and what it is not. There was discussion 
on the definitions of: 


Policy 
Standard 
Guideline 
Procedure 


Next, there was an examination of the key elements of a policy: 


Be easy to understand 
Be applicable 

Be “doable” 

Be enforceable 

Be phased in 

Be proactive 

Avoid absolutes 

Meet business objectives 


There was a review of what the policy format might be, and then we 
discussed the three basic types of policy: 


m Program policy 
m Topic-specific policy 
m Application-specific policy 


Finally we examined five actual policy statements and critiqued them based 
on the checklist and some helpful hints and pitfalls to avoid. 

In Chapter 4 we discussed that the mission statement should ensure that 
the security of the information and communication processing resources of 
the corporation are sufficient to reduce risk to a level acceptable to the 
management of the corporation. 

Responsibilities: 


m To recommend policies, standards, and procedures that foster the 
protection of information and information-processing resources 


Review 189 


m To assist units and divisions in the selection and implementation of the 
protective measures required in their areas of responsibility 

m To evaluate new technology and recommend security strategies to 
protect it 

m To identify areas of potential risk in the protection of corporate com- 
puter and information assets and to alert management once those areas 
have been identified 

m To provide training for security control requirements during all phases 
of application and system development 

m To develop programs to increase security awareness at all levels of the 
corporation 

m 'To develop a liaison between the corporate security and audit staffs to 
ensure that security efforts are coordinated and resources are conserved 
by preventing duplication of effort 

m To coordinate and assist in the development of business resumption 
plans for all data centers supporting critical business functions 

m To work with the local ISSO to ensure that corporate-mandated pro- 
grams are cost-effective and operationally effective 

m To act as a consultant to all areas on the security of information and 
computer systems 

m To monitor changes in laws and regulations as well as changes in 
technology and corporate goals and to determine the impact of these 
changes on corporate security requirements 

m To revievv nevv system access and information protection products and 
make recommendations on these products to ensure they meet mini- 
mum corporate requirements 

m To provide account administration across all platforms 

m To provide consulting support for all application development projects. 

m To act as audit liaison for all information and computer security-related 
matters 

m To assist in the investigation and reporting of computer thefts, intru- 
sions, viruses, and breaches of information protection controls 

m To assist in the development of effective monitoring programs to ensure 
that corporate information is protected as required 


In Chapter 5 we discussed the standard. In the introduction we examined 
where it fit in the scheme of written documents and found that it is needed 
to provide a policy with direction. It was strongly recommended that the 
standards not be made part of the policy. This was mainly due to the process 
required to get policies modified and approved. 

On the other hand, it is quite permissible to have policies found in a 
standards manual. When developing a standards manual, it will be necessary 
to have an overview (topic-specific or application/system-specific policy) 
provide the introduction to the topic and then have supporting standards. 

We also discussed where the standard fits in the process of documentation 
for employee use and why policies are not enough. We reviewed what a 
standard is and examined examples of standards and how they can work in 


190 Information Security Policies, Procedures, and Standards 


your enterprise. Finally, we discussed the ISO 17799 International Standard 
for information security and how it is actually guideline document. 

To assist you in understanding what might be necessary in developing a 
security manual, Appendix A has a Policy Baseline Checklist that identiftes 71 
key elements to be considered vvhen developing your information security 
documentation. 

In Chapter 6 vve discussed that, vvhen vvriting procedures, it is best to keep 
the language as simple as possible. Attempt to stay avvay from flovvery phrases 
and multi-syllable words. Keep the sentences short and the terms crisp. Identify 
each role in the procedure, and find the style that best meets the needs of 
your organization. 

In this chapter vve revievved the definitions of policy, procedure, standard, 
and guideline and discussed the vvriting “Ten Commandments.” 

We then examined the key elements of procedures: 


Identify the procedure need 
Identify the target audience 
Establish the scope of the procedure 
Describe the intent of the procedure 


VVe examined a procedure tvvelve-point checklist, and then examined six styles 
of procedures: 


Headline 
Caption 
Matrix 
Narrative 
Flovvchart 
Playscript 


In Chapter 7 vve discussed the elements of information classification. VVe 
revievved vvhy it is necessary to classify information and discussed the structure 
Of a topic-specific policy. We reviewed the need to restrict the number of 
categories for better use and what constitutes confidential information. We 
then discussed the need for a methodology to score information in order to 
place it in its proper classification level and the need for an information 
handling standards matrix. Finally we examined the need for a policy on 
employee responsibilities, especially: ovvner, custodian, and user. 

In Chapter 8 we discussed how information security is more than just 
polices, standards, procedures, and guidelines. It is more than audit comments 
and requirements. It is a cultural change for most employees. Before employees 
can be required to be compliant vvith a security program, they first must 
become avvare of the program. Security avvareness is an ongoing program 
that employees must have contact vvith on at least an annual basis. 

Information security awareness does not require huge cash outlays. It does 
require time and proper project management. Keep the message in front of 


Review 191 


the employees. Use different methods and means. Bring in outside speakers 
whenever possible and use videos to your best advantage. 

In Chapter 9 we discussed managing the development of security policies 
and procedures as a project, involving application of a variety skills, tools, 
experiences, and techniques. Project management processes help suide project 
activities to meet or exceed stakeholder needs and expectations. A primary 
objective of project management is to manage resources efficiently and effec- 
tively to deliver products on time and within budget while attaining a given 
level of quality. The intent of this chapter was to introduce a few key project 
management concepts that should be readily adaptable to a policies and 
procedures development project. 

In Chapter 10 we discussed the ISO 17799 document and gave examples 
of a policy for each section. We discussed the objectives and key terms. When 
you review the ten sections of ISO 17799, you will notice that there are nearly 
700 suggestions on things to have and to include. Select what is needed and 
keep the rest for reference. Remember that policies, standards, and procedures 
are vital and active. They will need to be reviewed on a regular basis to see 
if they are still appropriate. 


APPENDICES im 


Appendix A 


Policy Baseline Checklist 


Policy Baseline 


Best practices indicate that the following elements should be addressed when 
developing policy-related documentation for a client. The 71 requirements 
denote technical requirements for which technology-specific procedures are 
required for their implementation. 


Section Explanation 


Security Management Policy 

Data Classification This directive describes requirements for a program to 

Directive classify information resources by sensitivity, including 
designation of information owners, establishment of 
levels of classification by sensitivity, and periodic review 
of information. 


M Information Ensure that there is a written requirement that an owner is 
Ownership identified for all information processed on company 
Requirement systems. This should include individual files as well as 


collective files/records grouped in directories, databases, 
and data sets. 


BN Classification This section describes and provides examples of the 
Levels various classification levels implemented for company 
Requirement data (e.g., confidential, sensitive, and restricted). 

M Classification Include a section that outlines the process for original 
Designation designating of data by information owners. 
Requirement 

BN Classification Include a requirement that data classification be reviewed 
Review by information owners on a periodic basis (e.g., annually) 
Requirement to ensure that the assigned level is still appropriate. 


195 


196 


Information Security Policies, Procedures, and Standards 


Section 


System Monitoring 
Policy 


Violation Reporting 

Directive 

İM Customer 
Reporting 
Requirements 

IM Timeliness of 
Reporting 
Requirements 

Netvvork Security 

Monitoring Directive 


M Authority to 
Monitor 
Requirements 

M Monitoring Policy 
Publication 
Requirement 

M Authorization of 
Monitoring 
Activities 
Requirement 

M Control of 
Monitoring 
Devices 
Requirement 


M Activities to be 
Monitored 
Requirements 

M Audit Trail 
Content 
Requirements 

M Audit Trails 
Retention 
Requirements 

MH Audit Trails 
Protection 
Requirements 


Explanation 


This section describes policies related to monitoring 
system activities for unauthorized activities to ensure that 
security controls are not tampered with or bypassed. This 
includes requirements for reporting observed violations, 
monitoring netvvork security, use of intrusion detection 
systems, and response to security-related incidents. 

This addresses requirements for reporting security-related 
events in a timely fashion. 

Establish requirements that customers are responsible for 
reporting any suspected security breaches or violations. 


Address requirements that security breaches be reported 
in a timely manner based on the severity of the incident 
and the nature of the data involved. 

This documents company policy and standards for 
monitoring netvvork activity. This includes identification 
of who can monitor, how monitoring is authorized, 
restrictions on monitoring, activities that vvill be 
monitored, information that is to be recorded, and 
procedures for revievving recorded audit trail information. 

Create a requirement that ensures users are avvare of the 
company authority to monitor netvvork traffic. 


To maximize the effectiveness of auditing, establish a 
requirement for the company to publicize the fact that it 
is policy to audit netvvork activity. 

Define requirements that the company must formally 
authorize all monitoring activities. 


This section should identify requirements that only 
authorized personnel are allovved to use netvvork 
diagnostic test hardvvare and softvvare, such as sniffers and 
monitoring devices, to monitor traffic on the company 
netvvork. 

Establish requirements that define the types of system 
activities that vvill be monitored (e.g., failed log-on 
attempts). 

Define requirements for the elements of information that 
will be recorded for each event in the audit trail (e.g., 
userid, date/time). 

Identify requirements that audit trails will be maintained in 
accordance with previously established company rules 
pertaining to retention of sensitive information. 

Establish requirements for protecting audit trails from 
disclosure to personnel who do not have a need to access 
them, and from inadvertent deletion, destruction, or 
modification. 


Policy Baseline Checklist 


197 


Section 


M Information 
Sharing 
Requirements 


M Audit Trail Review 
Requirements 

Use of Intrusion 

Detection Systems 

UIDS) Directive 

MH Feal-Time 
Monitoring 
Requirement 


İM Use of IDS with 
Public Access 
Systems 
Requirement 

Incident Response 

Directive 


M Notification 
Requirements 

İH isolation 
Requirements 


IM Documentation 
Requirements 

İM Investigation 
Requirements 


M Feporting 
Requirements 


M Follow-Up 
Requirements 

User Account 

Administration Policy 


User Identification 

Directive 

M Sponsorship of 
Users 
Requirements 


Explanation 


Establish a requirement that, as part of the approval process 
for connecting to the company netvvork, netvvork partners 
must agree to share audit trail data in the event of an 
incident. 

Address requirements for the regular and frequent revievv 
of the contents of the audit trail data. 

This provides requirements for the use of automated 
intrusion detection systems to provide real-time 
monitoring of netvvork activities. 

This section outlines requirements for the use of 
intrusion detection systems to perform real-time 
analysis of netvvork traffic patterns to detect attempted 
attacks. 

Identify requirements that publicly accessible systems (e.g., 
external Web sites) must utilize system monitoring tools 
that provide real-time alerts whenever suspicious user 
activity is detected 

This establishes a process for responding to security 
violations and incidents to limit further damage to 
information resources and to permit identification and 
prosecution of violators. 

Identify requirements for officials and organizations that 
must be notified in the event of an incident. 

Provide requirements to take action to limit the effects of 
an incident through isolation of the problem as narrowly 
as possible. 

Establish requirements for documenting the incident. 


Define requirements for investigating the incident to 
include external law enforcement as well as internal 
investigative capabilities. 

Address requirements for providing reports to officials, 
agencies who need them, including time frames for 
submission. 

Establish requirements for tracking resolution of incidents 
and following up on any pending corrective actions. 

This section establishes policy for administering the 
accounts of system users to include user ids, passwords, 
privilege management, user transfer/termination, and 
application system access controls. 

This section establishes a directive governing the 
management of user accounts and identification numbers. 

Identify a requirement that the relevant business unit 
must identify the process to verify a user's identity as a 
condition for providing credentials, or for utilizing any 
credentials (such as digital certificates) the user may 
already possess. 


198 


Information Security Policies, Procedures, and Standards 


Section 


Issuance of User 
ids Requirements 


User id 
Composition 
Requirements 
Inactive Accounts 
Requirements 


Sharing/Group 
Accounts 
Requirements 
Default Accounts 
Requirements 


M Privileged 


Accounts 

Requirements 
Least Privilege 
Requirements 


Auditing 
Accounts 
Requirements 


Last Login/Logout 
Notification 
Requirements 


Failed Access 
Attempts 
Requirements 


Protection of User 
Identification 
Information 


Password 
Management 
Directive 


Password Storage 
Requirements 


Explanation 


Define a requirement for a user to provide sufficient 
identifying information upon registration that the 
sponsoring business function can verify user's business 
relationship to the company and the appropriate 
information access permissions. 

Establish a requirement that user ids will consist of a 
minimum of four alphanumeric characters, with no 
maximum other than system-imposed limits. 

Create a requirement that user accounts that have been 
inactive for more than 60 days will be disabled, until the 
specified user requests that the account be re-enabled, 
and provides proof of identity, including proof that the 
user/s business relationship with the company has not 
changed. 

Establish a requirement that although a single user id may 
be shared across multiple systems and applications, the 
use of group ids will be prohibited. 

There should be a requirement that default user ids 
shipped with software be disabled. 

Define a requirement that users who are granted privileged 
access (i.e., access to system security mechanisms, etc.) 
vvill use a different account name from that of normal user. 

There should be a requirement that the level of access 
granted vvill be appropriate for the business purpose and 
is consistent vvith organization security policy (e.g., does 
not compromise segregation of duties). 

On a quarterly basis, system administrators should be 
required to conduct an audit of current user accounts to 
ensure that the accounts of unauthorized users have been 
removed. 

Where technically feasible, upon login, the user should be 
required to present vvith date and time of last login and 
logout, along vvith contact information if the user vvishes 
to report a discrepancy with the user's records. 

There should be a requirement that three successive 
failures within a 24-hour period will result in a user's 
account being İocked. Additionally, user's should not be 
able to login until their account is unlocked. 

Identify requirements for safeguarding user identification 
information from unauthorized disclosure. 


This establishes requirements for user passvvords. 
There should be a requirement for user passvvords to be 


stored on computer systems in encrypted form only, and 
passvvord entry should be masked. 


Policy Baseline Checklist 


199 


Section 


Password 
Composition 
Requirements 


Password 
Composition 
Standards 

User Selection of 
Passwords 
Requirements 
Password 
Expiration 
Requirements 


Password History 
Requirements 


Password 
Issuance 
Requirements 
Password Reset 
Requirements 


Password Reset 
Procedures 


M Default Passwords 


Requirements 
Password 
Confidentiality 
Requirements 


Privilege 
Management 
Directive 


Need-to-Know 
Requirements 


Authorization 
Requirements 


Explanation 


Password composition requirements should call for 
passwords to consist of a minimum of six alpha and 
numeric characters and not to contain the user's name or 
user id. 

In this section, identify minimum requirements for 
password composition (i.e., length, alphanumeric, special 
characters, and examples of weak passwords). 

Establish a requirement that, when technically feasible, 
users should be provided with the capability to change 
their password on the login interface after authentication. 

Requirements for passwords for normal user accounts 
should include expiration after a maximum of 60 calendar 
days and a new password should be created at that time. 
Passwords for privileged user accounts (e.g., root, 
administrator, supervisor) should be required to expire 
after a maximum of 30 calendar days. 

Detail requirements designed to ensure that users must 
select a unique password and avoid reuse of previously 
selected passwords. 

Identify a requirement that when a user is provided with 
an initial password, this password must be changed the 
first time a user logs into a service (one-time password). 

User password resets should be performed when 
requested by the user, after verification of identity. There 
should be a requirement for the relevant business group 
to be responsible for defining the verification 
credentials. The nevv passvvord should be a one-time 
passvvord. 

Identify here the procedures for obtaining a new password 
in the event that a user-selected password is forgotten or 
expires. 

There should be a requirement that default passwords 
shipped with software should be disabled or changed. 

There should be a requirement for user passwords to 
remain confidential and not to be shared, posted, or 
otherwise divulged in any manner. 

This documents the process for approval, issuance, and 
management of discretionary access to systems, 
directories, and files. 

Identify requirements for privileges to be allocated to 
individuals on a “need-to-use” basis and on an “event-by- 
event” basis (i.e., the minimum requirement for their 
functional role only when needed). 

An authorization process should be required and a record 
of all privileges allocated should be made. Privileges 
should not be granted until the authorization process is 
complete. 


200 


Information Security Policies, Procedures, and Standards 


Section 


IM Management by 
Platform 
Requirements 


M Special Privileges 
Requirements 


User Termination 

Directive 

IM Revocation 
Requirements 


IM Customer 
Function Change 
Notification 
Requirements 

IM Customer 
Clearance 
Requirements 

IM İnvoluntary 
Termination 
Requirements 

VVorkstation Security 

Policy 


Ovvnership of 

Softvvare Directive 

M Proprietary 
Softvvare Control 
Requirements 


İM Software 
Licensing 
Agreements 
Requirements 


IM Vendor Use 
Revievv 
Requirements 

Data 

Backup/RKecovery 

Directive 


Explanation 


Establish a requirement that the privileges associated 
vvith each system product (e.g., operating system, 
database management system) be identified, as vvell as 
the categories of staff to vvhich they need to be 
allocated. 

There should be a requirement for users that are assigned 
high privileges for special purposes to use a different user 
identity for normal business use. 

This provides guidance on actions to be taken in the event 
an authorized user is terminated. 

Identify a requirement that all ids and passvvords are 
revoked upon termination of customer personnel and that 
access be revoked or modified upon transfer of 
responsibilities. 

Customers should be required to notify company 
management of changes in the customer:s status in order 
to ensure that access privileges are appropriately adiusted. 


Establish requirements that PCs, keys, ID cards, softvvare, 
data, documentation, manuals, etc. of terminated 
customers be returned to the company. 

There should be a requirement that procedures for the 
removal of customers terminated for cause be established. 


This section provides policy on the security of company 
information processed, stored, or transmitted on desktop 
and laptop computer systems. 

This establishes requirements related to the ovvnership of 
company developed, ovvned, or licensed softvvare. 

Identify a requirement that authorization is to be obtained 
from business management before distributing 
proprietary softvvare that is ovvned by the company to a 
third party. 

Address requirements for all users to adhere to package 
softvvare license agreements and copyright lavvs. Users 
will be required to copy package software only in 
accordance with license agreement (e.g., a backup copy 
for protection). 

Establish requirements for the periodic review of vendor 
use of proprietary, company-owned software. 


This addresses user requirements for backing up data in 
relation to system backup activities. 


Policy Baseline Checklist 


201 


Section 


IM User 
Responsibilities 
Requirements 


İM System 
Administrator 
Backup 
Requirements 

Virus Prevention 

Directive 

M Approved 
Products Use 
Requirements 

İM Scanning 
Softvvare Use 
Requirements 

İM Virus Response 
Requirements 


File Server Access 

Directive 

IM Server Physical 
Access 
Requirements 


M server 
Identification and 
Authentication 
Requirements 


Netvvork Security 
Policy 

Netvvork Operations 
Directive 


IM Creeting Screen 


Requirements 


IM Warning Message 
Requirements 


Explanation 


Establish a requirement that users ensure that all data on 
their vvorkstations are backed up regularly. The preferred 
manner of ensuring that this is accomplished should be 
to save or copy data to a directory that is routinely backed 
up by the system administrator. VVhere this is not possible, 
users should back up data files to diskette. 

Identify a requirement for system administrators to ensure 
that backups of softvvare on the servers are performed, 
and that off-site storage procedures are follovved. 


This documents requirements for the prevention, detection 
and eradication of malicious softvvare on vvorkstations. 

Identify a requirement that only standard/approved 
products that have been obtained from authorized 
suppliers vvill be installed onto vvorkstations. 

Establish a requirement that virus filters and/or detection 
programs be used prior to installing any softvvare on a 
vvorkstation. 

There should be a requirement that if a virus is suspected, 
the system administrator vvill disconnect the vvorkstation 
from the network immediately, will notify management, 
and vvill remove the virus prior to any reconnection to 
netvvork services. 

This covers requirements necessary to provide additional 
security to servers. 

Establish a requirement that file servers vvill be secured in 
locked cabinets, closets, or offices and access will be 
limited to individuals vvith a documented business need 
for such access. 

Identify a requirement that system administrators will 
utilize system security features for identification and 
authentication of individuals attempting file server access, 
and for recording and revievv of unsuccessful file server 
access attempts. 

This section provides direction on the security of 
netvvorked company information resources. 

This documents requirements for gaining access to the 
netvvork or netvvork routers, logging of activities, and 
greeting and vvarning screen content and location. 

Establish a requirement restricting the display of a greeting 
of any kind to any external netvvork connection until the 
user is authenticated and authorized through a sign-on 
sequence. 

VVhere technically feasible, require that a message be 
displayed on all external netvvork connections vvarning 
potential users that unauthorized use is prohibited. 


202 


Information Security Policies, Procedures, and Standards 


Section 


M Network Access 
Requirements 


İM Router Access 
Requirements 

IM Activity Logging 
Requirements 

M Confidentiality of 
Netvvork 
Addresses 
Requirements 


İM Avoidance ofTrust 
Relationships 
Requirements 

Netvvork Privacy 

Directive 


İM Business Use 
Only Notification 
Requirements 

M Restrictions on 
Browsing 
Requirements 


Confidentiality 
Controls Directive 


IM Message 
Authentication 
Requirements 


M Encryption 
Requirements 


Explanation 


Ensure that system administrators require that the host 
operating system validate each user prior to allovving 
netvvork access. Once verified, users should be required 
to be automatically directed to applications for vvhich they 
have been authorized. 

Create a requirement that only authorized administrators 
be allovved logical access to routers. 

Require that all netvvork infrastructure platforms 
implement security-related event logging. 

Ensure that there is a requirement that the internal 
addresses, configurations, and related system design 
information for netvvorked computer systems be 
restricted so that external systems and users cannot 
access this information vvithout explicit management 
approval. 

Ensure thatvvherever possible trust relationships are strictly 
avoided betvveen systems vvith different risk profiles. 


This establishes requirements designed to assure the 
privacy of data transmitted on the netvvork to include 
restriction to business use only, restriction on user 
brovvsing, consideration of e-mail as official 
correspondence, and requirements for backing up e-mail 
for potential legal use. 

Require that there be notification that company computers 
are to be used for valid business reasons only. 


Establish a requirement for each user to avoid accessing 
areas on company netvvorks for vvhich the user does not 
have a valid business need, and that it is each user's 
responsibility to exercise fudgment regarding the 
information accessed. 

This provides guidance on implementing controls 
designed to protect the confidentiality of transmitted 
information. 

Create a requirement that message authentication vvill be 
employed for applications vvhere the integrity of message 
content is vital. Hardvvare and/or softvvare mechanisms 
should be implemented to detect unauthorized changes 
to, or corruption of the contents of a transmitted 
electronic message. Message authentication should be 
used along vvith encryption to reduce further the potential 
for eavesdropping. 

Establish a requirement that information that is classified 
as highly sensitive should be encrypted vvhile passing 
through the netvvork using encryption softvvare or 
hardvvare approved by the information security 
function. 


Policy Baseline Checklist 


203 


Section 


IM Device 
Identification 
Requirements 


Network Acceptable 

Use Directive 

M lack of Public 
Netvvork 
Confidentiality 
Avvareness 
Requirements 


M Internet Rules of 
Behavior 
Requirements 


M Control of 
Sensitive Data 
Requirements 


Softvvare Security 

Policy 

M Proprietary 
Property 
Protection 
Requirements 


IM Licensing 
Agreement 
Compliance 
Requirements 


M Authorization to 


Copy 
Requirements 


Security of Third-Party 

Services Policy 

IM Customer 
Nondisclosure 
Requirement 


Explanation 


Require that the physical component and, vvhere possible, 
the location of the logical access request be identified to 
the system being accessed. Devices may include 
terminals, lines, communication nodes, controllers, 
remote processors, and personal computers. 

This section provides to users rules related to acceptable 
use of the network. 

Establish a requirement that any messages sent over the 
İnternet are not considered secure unless additional 
measures are taken to protect such information (e.g., 
encryption). Users should communicate via e-mail as they 
vvould in a public meeting (e.g., if you are not comfortable 
saying something to a room of people, it should not be 
said via e-mail). 

There should be a requirement that states that using 
company facilities or equipment to make abusive, 
unethical or “inappropriate” use of the Internet vvill not 
be tolerated and may be considered grounds for 
disciplinary action, including termination of employment. 

Sensitive information should not be transmitted over the 
İnternetvvithout prior management approval and reasonable 
security measures (such as encryption or other appropriate 
method) in place. Credit card numbers, telephone calling 
card numbers, login passvvords, and other parameters that 
can be used to gain access to goods or services should not 
be sent over the Internet in readable form. 

This section provides direction on security aspects of 
softvvare development and maintenance. 

Establish a requirement that information systems resources 
under development (e.g., programs, files, and 
documentation) be considered company assets that vvill 
be provided protection as vvould be applicable to the 
finished product. 

All developers should be required to adhere to package 
softvvare license agreements and copyright lavvs. They 
should only copy package softvvare products in 
accordance vvith license agreement (e.g., a backup copy 
for protection). 

Require that vvritten authorization from the vendor be 
obtained to copy products licensed to run on a specific 
computer or at a particular onto another computer or 
another site. 


Establish requirements for customers to sign nondisclosure 
arrangements and/or confidentiality agreements. All 
customer personnel vvill be informed in a vvritten 
statement of the importance of data processing security. 


204 


Information Security Policies, Procedures, and Standards 


Section 


IM Customer 
Statement of 
Avvareness 
Requirement 

IM Customer 
Violation 
Reporting 
Requirements 


M Provisions for 
Sofvvare 
Ovvnership 
Requirements 


Explanation 


Ensure that customers are required to acknovvledge their 
avvareness of company information security policies, and 
their responsibility for adhering to them. 


Define requirements to ensure that customers are avvare 
of their responsibility for immediately informing the 
manager responsible for the contract of any security 
breaches, including unauthorized access to or 
compromise of company data or resources. 

Establish requirements to ensure that contract agreements 
define company ovvnership of softvvare developed under 
the contract. 


Appendix B 


Sample Corporate Policies 


Conflict of Interest 
Policy 


Company employees are expected to adhere to the highest standards of 
conduct. To assure adherence to these standards, employees must have a 
special sensitivity to conflict-of-interest situations or relationships, as well as 
the inappropriateness of personal involvement in them. Although not always 
covered by law, these situations can harm Your Company or its reputation if 
improperly handled. 


Provisions 


1. A conflict of interest occurs when an employee”s personal interests 
conflict with the company interests. Conflicts of interest may also 
involve relationships between members of the employee's immediate 
family and the company. In conflict-of-interest situations, employees 
are expected to act in the Dest interests of the company. 

2. The following standards for ethical behavior in conflict-of-interest sit- 
uations are established for all employees: 

a. When actual or potential conflict-of-interest situations arise, or where 
there is an appearance of such conflict, employees shall remove 
themselves from involvement in the matter. In no case should 
employees become involved to the extent where they are or could 
be influenced to make decisions that are not in the best interest of 
the company. 

b. Employees shall not solicit or accept personal gain, privileges, or 
other benefits through involvement in any matters on behalf of Your 
Company. 


205 


206 Information Security Policies, Procedures, and Standards 


c. Employees shall direct their efforts to company business while at 
work, and shall use company resources only for management- 
approved activities. Resources include, but are not limited to, equip- 
ment, supplies, corporate information, and company-paid time. 


Responsibilities 


1. Whenever faced with an actual or potential business-related conflict- 
of-interest situation, employees shall seek guidance from their super- 
VİSOTS. 

2. When conflict-of-interest questions cannot be resolved within the orga- 
nizational unit, employees may request advice from the General Auditor. 

3. When requested, employees shall also disclose actual and potential 
conflict-of-interest situations to the General Auditor. 

4. The General Auditor shall revievv each situation and advise the orga- 
nizational unit of any recommended action the employee should take. 


Common Conflict-of-Interest Situations 


The specific situations described in this section are common, but are not all- 
inclusive of business-related conflict-of-interest situations that may arise for 
Company employees. 


1. Gifts, etc.: Giving gifts, providing meals and entertainment, and offering 
site tours and product samples are common business practices. Because 
the intent of these practices is to build relationships and influence 
business decisions, such practices can result in conflict of interest. 
Company expenses incurred in any of the follovving situations are 
subject to organizational approval. 

a. Gifts: Gifts generally benefit the employee, but not the company. In 
dealing vvith suppliers, customers, or others outside the company, 
employees shall not accept or give money or gifts, except an occa- 
sional, unsolicited, nonmonetary item of a token nature, such as an 
advertising novelty of nominal value. 

b. Meals and entertainment: In dealing with suppliers, customers, or 
others outside the company, employees shall not accept or provide 
meals or entertainment, except when there is a business purpose. 
The provider of the meal or entertainment should be present at the 
occasion. Frequent or repeated acceptance of meals and entertain- 
ment may be an indicator of the employee”s personal gain, and could 
raise questions about the legitimacy of the business purpose for such 
occasions. When there is a business purpose for frequent meals or 
entertainment, the company encourages reciprocation. 

c. Travel: When there is a business purpose for travel, the company 
should pay travel expenses. Employees should not accept air trans- 


Sample Corporate Policies 207 


portation offered by vendors or others outside the company when 
convenient commercial transportation is available. Generally, the 
company should pay for lodging expenses. 

d. Product samples: f Your Company vvants a sample product or service 
of more than nominal value, Your Company should pay for it. 

2. Outside work: Employees who have another job outside of Your 
Company shall not represent themselves as performing vvork for Your 
Company when doing such jobs. Furthermore, they may not use Your 
Company resources in performing the other job. Employees shall not 
be employed by competitors of Your Company. 

3. Interest in outside business organizations: Employees shall avoid 
significant financial or management interest in any business that does 
or seeks to do business vvith Your Company if such involvement could 
cause employees to make business decisions that are not in Your 
Company”s best interest. 

4. Use of confidential or proprietary information: Employees 
entrusted vvith such information shall restrict access and use to autho- 
rized individuals inside and outside the company vvho have a clear 
business need to knovv this information. 

5. msider trading: No employee who has material nonpublic (“insider”) 
information relating to the company may use that information in buying 
and selling securities of Your Company, either directly or indirectly. 
Furthermore, employees may not engage in other actions to take 
personal advantage of that information or pass it on to others. Even 
the appearance of an improper transaction must be avoided to preserve 
the reputation of the company for adhering to the highest standards 
Of conduct. 


The conflict-of-interest situations item 4. discusses that the use of confi- 
dential or proprietary information must be controlled to those vvith an identifted 
business need for access. VVherever possible, have the corporate policies 
support the information security policy. 


208 Information Security Policies, Procedures, and Standards 


Employee Standards of Conduct 
Policy 


Company employees are expected to conduct themselves in a professional 
and business manner at all times when on company property or when 
representing Your Company. 


Provisions 


Company employees are expected to adhere to the followinsg standards of 
conduct: 


1. Employees shall act in an ethical manner, and shall avoid actions that 
have the appearance of being unethical. 

2. Employees shall abide by applicable laws, regulations, and professional 
standards. 

3. Employees shall avoid conflict-of-interest situations. (See Conflict of 
Interest policy for more information.) 

4. Employees shall meet individual performance expectations. 

5. Employees shall abide by company and organizational policies and 
practices. 

6. Employees shall accurately and honestly record and report corporate 
information in a timely manner. 

7. Employees shall also maintain the confidentiality of corporate informa- 
tion. (See Information Classification policy.) 

8. Employees shall treat co-workers and others with dignity and respect. 


Responsibilities 


Employees who violate these standards of conduct are subject to disciplinary 
action up to and including discharge. In some cases, employees may also be 
subject to criminal charges. 


1. Employees are expected to use intelligence, common sense, and good 
fudgment in applying these standards of conduct. 

2. When in doubt, employees shall direct questions relating to the stan- 
dards of conduct to their supervisors. 

3. Employees vvho observe conduct that does not appear consistent vvith 
these standards of conduct should discuss the matter vvith their supervisor. 
The supervisor shall report fraudulent activity to the General Auditor. 

4. Any employee vvho has suffered a violation of the standards of conduct 
should immediately report the matter to his or her supervisor or to the 
Vice President of Human Resources. 

5. All complaints shall be investigated in as discreet a fashion as possible. 
Once the investigation is complete, appropriate action vvill be taken. 


Sample Corporate Policies 209 


6. Supervision shall provide appropriate feedback to those who report 
misconduct. 

7. Your Company will not retaliate against employees who report sus- 
pected misconduct. 

8. Company management has the responsibility to manage corporate 
information, personnel, and physical properties relevant to its business 
operations, as well as the risht to monitor the actual utilization of all 
corporate assets. 

9. If an employee becomes involved in a legal matter arising out of 
employment with Your Company, and if, in the opinion of the General 
Counsel, the employee was acting in good faith, within the scope of 
the job responsibilities, the company shall provide or select legal 
counsel and indemnify that employee and legal counsel if indemnifi- 
cation is not othervvise available to the employee. 


Unacceptable Conduct 


1. Supervisors shall follovv appropriate disciplinary procedures, up to and 
including discharge, for employees whose work performance or behav- 
ior does not meet the standards of conduct. Some examples of unac- 
ceptable conduct are shown below. This list is not all-inclusive. 

a. Work performance 
i. Failure to meet job requirements 
H. Unacceptable work performance 
b. Attendance and tardiness 
i. Absence without notice or permission 
ii. Failure to notify as required 
Hi. Excessive tardiness or excessive absence 
c. Conduct — General 
i. Alcohol or substance abuse when on company premises or 
business 
H. Conflict-of-interest activities 
iii. Dishonesty 
iv. Failure to maintain acceptable appearance and hygiene standards 
v. Gambling or operating a lottery while on the job 
vi. Possession of unauthorized weapons or cameras on company 
property 
vii. Sleeping on the job 
viii. Unauthorized use or possession of company property 
ix. Insubordination 
x. Violation of a copyright or softvvare licensing agreement, includ- 
ing the introduction of non-company-approved softvvare or code 
into any company system 


210 Information Security Policies, Procedures, and Standards 


Harassment 


Harassment can take many forms in words or actions that are either implied 
or clear and direct. It is not limited by position, sex, or race. Harassment 
includes, but is not limited to, sexual harassment, verbal abuse, or threatening 
others. 

Sexual harassment refers to behavior of a sexual nature that is unwelcome 
and offensive and is a form of misconduct that undermines the integrity of 
the employment relationship. Sexual harassment means unwelcome sexual 
advances, requests for sexual favors, and other verbal or physical conduct or 
communication of a sexual nature when: 


1. Such conduct or communication has the purpose or effect of substan- 
tially interfering with an individual's employment or creating an intim- 
idating, hostile, or offensive work environment 

2. Submission to such conduct or communication is made a term or 
condition either explicitly or implicitly to obtain employment 

3. Submission to, or refection of, such conduct or communication by an 
individual is used as a factor in decisions affecting such individual's 
employment 


Compliance 


1. Company management has the responsibility to: 

a. Ensure that all employees are avvare and understand their obligation 
to behave in an ethical and proper manner. 

b. Note variance from established conduct standards and initiate cor- 
rective action as appropriate, including: 

2. Employees who commit any of the following will normally be subject 
to immediate discharge. This list is not all-inclusive. An employee may 
be discharged for serious offenses or for any reason management deems 
appropriate, including: 


a. Absence without notice for three consecutive work days 

b. Defrauding company 

c. Falsifying company records 

d. Physical assault 

e. Possessing, selling, distributing, dispensing, manufacturing, or using 
illegal drugs vvhile on company premises or business 

f. Theft of company, employee, customer, or supplier information 


resources, or other property 
g. VVillfully destroying company, employee, customer, or vendor infor- 
mation resources, or other property 


Sample Corporate Policies 211 


External Corporate Communications 
Policy 


Your company is committed to building good relationships by effectively 
communicating with clients and the general public. All employees are 
required to obtain approval from Your Company regarding interaction vvith 
these groups. 


Scope 


All external company communications shall be: 


1. Truthful, credible, and consistent with the company”s performance and 
actions 
2. In accordance with applicable legal and regulatory requirements 


This policy includes, but is not restricted to, white papers, articles, speeches, 
articles, books, summaries, and software. 


Definitions 


Your Company employees can create different types of written documents, to 
include: 


1. Executive oueruieu — a one-page summary of materials presented 
in-depth somewhere else 

2. Articles — documents printed by some third party that may assume 
copyright control over the material 

3. White paper — detailed, authoritative report with an informed conclusion 

4. External communication — 

a. Your Company is open, honest, and willing to help media and others 
seeking information about the company. However, each employee 
shall take care not to disclose information that violates the privacy 
of employees and customers. Each employee shall also take care not 
to disclose information that is proprietary (Confidential or Internal 
Use) or could be of strategic or competitive business value to others. 

b. The CIO shall designate employees that have authority to sign 
correspondence or other external communications or issue public 
statements on behalf of the company. Formal commuhnications to 
audiences on behalf of the company, such as speeches, technical 
papers, and brochures, shall be approved prior to release or publi- 
cation by Your Company. 

c. The CIO shall approve all communication with the media, such as 
nevvspapers, radio, television, nevvs groups, and magazines. Only 
senior management may release vvritten communications to the 
media. 


212 Information Security Policies, Procedures, and Standards 


Responsibilities 


Your Company management has the responsibility to: 


1. Ensure that all employees understand their rights and obligations relat- 
ing to external communication. 

2. Review employee documents to ensure protection of company propri- 
etary resources. 


Your Company employees have responsibility to: 


1. Protect your company proprietary resources, especially when commu- 
nicating to third parties. 

2. Use the appropriate white paper format available through Corporate 
Communications. 

3. Ensure a proper copyright statement is included in all documents made 
available to third parties (@ Your Company, all rights reserved). 

4. Ensure that appropriate Your Company management reviews the con- 
tents prior to distribution. 


Compliance 
Your Company management has the responsibility to: 
1. Ensure that all employees are aware of this policy and are in compliance. 
2. Report any variances to Corporate Communications and to take appro- 
priate corrective action. 


Company employees have responsibility to: 


1. Be in compliance with this policy. 
2. Report to Your Company management any noncompliant situations. 


Sample Corporate Policies 213 


Information Protection 
Policy 


Information is a company asset and is the property of Your Company. Your 
Company information includes information that is electronically generated, 
printed, filmed, typed, stored, or verbally communicated. Information must 
be protected according to its sensitivity, criticality, and value, regardless of 
the media on which it is stored, the manual or automated systems that process 
it, or the methods by which it is distributed. 


Provisions 


To ensure that business objectives and customer confidence are maintained, all 
employees have a responsibility to protect information from unauthorized access, 
modification, disclosure, and destruction, whether accidental or intentional. 


Responsibilities 


1. Senior management and the officers of Your Company are required to 
employ internal controls designed to safeguard company assets, includ- 
ing business information. 

2. It is a line management obligation to ensure that all employees under- 
stand and comply with Your Company security policies and standards, 
as well as all applicable laws and regulations. 

3. Employee responsibilities for protecting Your Company information are 
detailed in the Information Classification policy. 


Compliance 


1. Company management has the responsibility to manage corporate 
information, personnel, and physical property relevant to Dusiness 
operations, as well as the right to monitor the actual utilization of all 
corporate assets. 

2. Employees who fail to comply with the policies will be considered to 
be in violation of Your Company Employee Standards of Conduct and 
will be subject to appropriate corrective action. 


214 


Information Security Policies, Procedures, and Standards 


General Security 


Policy 


It is the responsibility of Your Company management to provide a safe and 
secure workplace for all employees. 


Provisions 
1. Your Company offices will be protected from unauthorized access. 
2. Areas within buildings that house sensitive or high-risk equipment will 


be protected against fire, water, and other hazards. 
Devices that are critical to the operation of company business processes 
will be protected against power failure. 


Responsibilities 


J 


2. 


3. 


Senior management and the officers of Your Company are required to 
maintain accurate records and to employ internal controls designed to 
safeguard company assets and property against unauthorized use or 
disposition. 

The assets of the company include but are not limited to physical 
property, intellectual property, patents, trade secrets, copyrights, and 
trademarks. 

Additionally, it is the responsibility of line management to ensure that 
staff is aware of, and fully complies with, the company security guide- 
lines and all relevant laws and regulations. 


Compliance 


1. 


Management is responsible for conducting periodic reviews and audits 
to ensure the compliance of all policies, procedures, practices, stan- 
dards, and guidelines. 

Employees who fail to comply with the policies will be treated as being 
in violation of the Employee Standards of Conduct and will be subject 
to appropriate corrective action. 


Appendix C 


List of Acronyms 


ATM Adaptation Layer 

AppleTalk Address Resolution Protocol 
Area Border Router 

Access Control (Token Ring) 
Acknovvledgment 

Asymmetric Digital Subscriber Line 
AppleTalk Data Stream Protocol 
AppleTalk File Protocol 

Amplitude Modulation 

Alternate Mark Inversion (T1/E1) 
American National Standards Institute 
Application Programming Interface 
Advanced Peer-to-Peer Networking 
Address Resolution Protocol 

Advanced Research Projects Agency 
Autonomous System 

Autonomous System Boundary Router 
American Standard Code for Information Interchange 
Application-Specific Integrated Circuit 
Amplitude Shift Keying 

AppleTalk Session Protocol 
Asynchronous Transfer Mode 
AppleTalk Transaction Protocol 
Attachment Unit Interface 

AppleTalk Update-Based Routing Protocol 


215 


216 Information Security Policies, Procedures, and Standards 


BDR Backup Designated Router 
BECN Backvvard Explicit Congestion Notification (Frame Relay) 
BER Bit Error Rate 

BGP Border Gatevvay Protocol 
BIA Burned-lIn Address 

B-ISDN Broadband ISDN 

BIT Binary digit 

BOOTP Bootstrap Protocol 

BPDU Bridge Protocol Data Unit 
BPS Bits Per Second 

BRI Basic Rate Interface (1SDN) 


CBR Constant Bit Rate 
CCETT Consultative Committee for International Telegraph and Telephone 
CCO Cisco Connection Online 


CCP Compression Control Protocol 
CCS Common Channel Signaling 
CD Carrier Detect 


CDDI Copper Distributed Data Interface 

CDP Cisco Discovery Protocol 

CHAP CGhallenge Handshake Authentication Protocol 
CIDR Classless InterDomain Routing 

CIR Committed Information Rate 

CLP Cell Loss Priority 

CLNP Connectionless Network Protocol 

CLNS Connectionless Network Services 

CMI Coded Mark Tnversion 

CO Central Office 

CPE Customer Premise Equipment 

CPU Central Processing Unit 

CRC Cyclical Redundaney Check 

CSMA/CD Carrier Sense Multiple Access/Collision Detect 
CSNP Complete Sequence Number PDU 

CSPDN Circuit-Svvitched Public Data Netvvork 
CSU/DSU Channel Service Unit/Digital Service Unit 
CTS Clear To Send 

CUD Caller User Data (X.25) 


D 


DA Destination Address 
DAC Dual Attached Concentrator 


List of Acronyms 217 


DARPA Defense Advanced Research Projects Agency 
DAS Dual Attachment Station (FDDI, CDDD 

DCE Data Circuit-Terminating Equipment 

DDP Datagram Delivery Protocol (AppleTalk) 

DDR Dial-on-Demand Routing 

DES Data Encryption Standard 

DHCP Dynamic Host Configuration Protocol 

DIX Digital-Intel-Xerox 

DLC Data Link Control 

DLCI Data Link Connection Identifier (Frame Relay) 
DMT Discrete Multitone 

DNA SCP Digital Network Architecture Session Control Protocol (DECnet) 
DNIC Data Network Identification Code (X.25) 


DNS Domain Name Server 
DQDB Distributed Queue Dual Bus (SMDS) 
DR Designated Router 


DRAM Dynamic Random Access Memory 
DS-0 Digital Signal Level 0 (64 kb) 

DS-1 Digital Signal Level 1 (1.544 Mb) 
DS-3 Digital Signal Level 3 (45 Mb) 

DSAP Destination Service Access Point (LLC) 
DSE Data Svvitching Equipment 

DSL Digital Subscriber Line 

DSR Data Set Ready 

DSS 1 Digital Subscriber Signaling System 1 
DSU Data Service Unit 

DTE Data Terminal Equipment 

DTR Data Terminal Ready 

DUAL Diffused Update Algorithm (EIGRP) 


E 


EBCDIC Extended Binary Encoded Decimal Interchange Code 
EBGP Exterior Border Gateway Protocol 

EDI Electronic Data Interchange 

EEPROM Electrically Erasable Programmable Read-Only Memory 
EGP Exterior Gateway Protocol 


EIA Electronic Industries Association 
EIGRP Enhanced Interior Gateway Routing Protocol 
EOT End of Transmission 


EPROM Erasable Programmable Read-Only Memory 

ESF Extended Super Framing (T1/E1) 

ET Exchange Termination 

ETSI European Telecommunication Standards Institute 


218 Information Security Policies, Procedures, and Standards 


E 
FC Frame Control (Token Ring) 

FCC Federal Communications Commission 
FCS Frame Check Sequence 

FD Feasible Distance (EIGRP) 


FDDI Fiber Distributed Data Interface 

FDM Frequency Division Multiplexing 

FECN Forward Explicit Congestion Notification 
FEP Front-End Processor 

FIFO First In/ First Out 

FMBS Frame-Mode Bearer Service 

FRAD Frame Relay Access Device 

FSIP Fast Serial Interface Processor 

FSK Frequency Shift Keying 

FTP File Transfer Protocol 


GIF Graphics Interchange Format 
GNS Get Nearest Server (Novell) 
GOSIP Government OSI Profile (U.S.) 
GRE Generic Routing Encapsulation 
GZL Get Zone List (AppleTalk) 


HDLC High-Level Data Link Control 
HSRP Hot Standby Routing Protocol 
HSSI High-Speed Serial Interface 
HTML Hypertext Markup Language 
HTTP Hypertext Transfer Protocol 


TA Intra-Area (OSPF) 

IBGP Interior Border Gateway Protocol 

ICMP Internet Control Message Protocol 

IDN Integrated Digital Netvvork 

IEEE Institute of Electrical and Electronics Engineers 
IETF Internet Engineering Task Force 


IGP Interior Gatevvay Protocol 
IGRP Interior Gateway Routing Protocol 
IOS Internetwork Operating System 


IP Internet Protocol 


List of Acronyms 219 


IPC Interprocess Communications (Vines) 
IPX Internet Packet Exchange 

IRB Integrated Routing and Bridging 

IS Intermediate System 


ISDN BRI Integrated Services Digital Network—Basic Rate Interface 
ISDN PRI Integrated Services Digital Netvvork—Primary Rate Interface 


ISIS Intermediate System—Intermediate System (OST standard routing pro- 
tocol) 

ISO International Organization for Standardization 

ISP Internet Service Provider 

ITU International Telecommunications Union 


TTU-T ITU Telecommunication Standardization Sector 


JPEG Joint Photographic Experts Group 


LAN Local Area Network 

LAPB Link Access Procedure — Balanced 

LAPD Link Access Procedure on the D channel 

LAPF Link Access Procedure for Frame-Mode Bearer Services 
LAT Local Area Transport 

LCN Logical Channel Number (X.25) 

LCP Link Control Protocol (X.25) 

LDN Local Dial Number (1SDN) 

LLC Logical Link Control 


LMI Local Management Interface (Frame Relay) 
LSA Link-State Advertisement 

LSP Link State Packet 

LT Local Termination 

M 


MAC Media Access Control 

MAN Metropolitan Area Netvvork 

MAP Manufacturing Automation Protocol 
MAU Media Attachment Unit 


MIB Management Information Base 
MIDI Musical Instrument Digital Interface 
MV Multichannel Interface Processor 


MLP Multilink PPP 
MMP Mulitchassis Multilink PPP 


220 Information Security Policies, Procedures, and Standards 


MOP Maintenance Operation Protocol 

MP Multilink Protocol 

MPEG Motion Picture Experts Group 

MPR Multiprotocol PC-based Routing 

MRRU Maximum Received Reconstructed Unit (PPP) 
MSAU Multistation Access Units (Token Ring) 

MTU Maximum Transmission Unit 


NAT Netvvork Address Translation 

NAUN Nearest Active Upstream Neighbour 
NBMA Non-Broadcast Multiaccess 

NBP Name Binding Protocol (AppleTalk) 
NCP NetVVare Core Protocol 

NCP Netvvork Control Protocol (PPP) 
NDIS Network Driver Interface Specification 
NETBIOS Network Basic I/O System 

NFS Netvvork File System 

NIC Netvvork Information Center 

NLPID Network Level Protocol Identifier 
NLSP ` NetWare Link Service Protocol 

NNI Network to Network Interface (ATM, Frame Relay) 
NOS Netvvork Operating System 

NT-1 Netvvork Termination 1 

NTN Network Terminal Number (X.25) 
NTP Netvvork Time Protocol 

NVE Netvvork-Visible Entity 

NVRAM Nonvolatile Random Access Memory 


O 

OC Optical Circuit 

ODI Open Datalink Interface 

OSI Open System Interconnection 


OSPF Open Shortest Path First 
OUI Organizationally Unique Identifier 


P 
PAD Packet Assembler/Disassembler 
PAP Password Authentication Protocol 


PAP Printer Access Protocol (AppleTalk) 
PBX Private Branch Exchange 


List of Acronyms 


Pulse Code Modulation 

Public Data Network 

Protocol Data Unit 

Packet Internet Groper 

Packet Level Protocol X.25) 
Physical Medium Dependent 

Point of Presence 

Post Office Protocol 

Plain Old Telephone Service 
Point-to-Point Protocol 

Primary Rate Interface (ISDN) 
Programmable Read-Only Memory 
Packet-Switched Data Network 
Phase Shift Keying 

Packet Svvitched Network 

Partial Sequence Number PDU 
Packet-Svvitched Public Data Network 
Public Switched Telephone Network 
Post, Telephone, and Telegraph 
Permanent Virtual Circuit 


Quadrature Amplitude Modulation 
Quality of Service 


Remote Authentication Dial-In User Service 
Random Access Memory 

Reverse Address Resolution Protocol 
Regional Bell Operating Companies 
Remote Copy Protocol 

Request For Comments 

Routing Information Protocol 

Reduced Instruction Set Computer 

Remote Job Entry 

Remote Location Protocol 

Remote Monitoring 

Read-Only Memory 

Remote Procedure Call 

Routing Table Maintenance Protocol (AppleTalk) 
Routing Update Protocol (Vines) 


221 


222 Information Security Policies, Procedures, and Standards 


SA Source Address 

SABM Set Asynchronous Balanced Mode 

SABME Set Asynchronous Balanced Mode Extended 
SAP Service Access Point 

SAP Service Advertisement Protocol (Novelb 
SAS Single Attached Station 

SDH Synchronous Digital Hierarchy 

SDLC Synchronous Data Link Control 

SDU Service Data Unit 


SF Super Framing (T1/E1) 

SIP SMDS Tnterface Protocol 

SLARP Serial Link Address Resolution Protocol 
SLIP Serial Line Interface Protocol 


SMDS Svvitched Multimegabit Data Service 
SMTP Simple Mail Transfer Protocol 

SNA Systems Netvvork Architecture 

SNAP SubNetvvork Access Protocol 

SNMP Simple Netvvork Management Protocol 
SOF Start of Frame 

SONET Synchronous Optical Network 

SPF Shortest Path First 

SPID Service Provider Identifier ISDN) 

SPP Sequenced Packet Protocol (Vines) 
SPX Sequenced Packet Exchange (Novell) 
SQL Standard Query Language 

SRAM static RAM 

SRB Source Route Bridging 

SRT Source Route Transparent Bridging 
SRTP Sequenced Routing Update Protocol (Vines) 
SS7 Signaling System 7 

SSAP Source Service Access Point (LLC) 
SVC Svvitched Virtual Circuit 


TA Terminal Adapter 

TACACS Terminal Access Controller Access Control System 
TA/NT1 Terminal Adapter/Netvvork Termination 1 (15DN) 
TCP Transmission Control Protocol 

TCP/IP Transmission Control Protocol/Internet Protocol 
TDM Time Division Multiplexing 

TE Terminal Equipment 

TE1 & TE2 Terminal Endpoints 

TFTP Trivial File Transfer Protocol 


List of Acronyms 223 


TIFF Tagged Image Format 
TTL Time to Live 


UART (Universal Asynchronous Receiver/ Transmitter 
UDP User Datagram Protocol 

UNI User Network Interface 

UTP Unshielded Twisted Pair 


V 
VBR Variable Bit Rate 
VC Virtual Circuit 


VCI Virtual Channel Identifler (X.25) 
VCN Virtual Circuit Number (X.25) 
VLSM  Variable-Length Subnet Mask 
VTAM virtual Terminal Access Method 


WAIS Wind Area Information Server 
WAN Wide Area Network 

WDM Vavelength-Division Multiplexing 
WEQ Weighted Fair Queuing 

WWW World Wide Web 


XNS Xerox Network Systems 
XOT X.25 over TCP 


ZIP Zone Information Protocol (AppleTalk) 
ZIT Zone Information Table (AppleTalk) 


Appendix D 


Sample Security Policies 


Network Security Policy 


Preamble 


This document establishes the network security policy for the University of 
Telephone. 

The network security policy is intended to protect the integrity of campus 
networks and to mitigate the risks and losses associated with security threats 
to campus networks and network resources. 

Like many other universities, the University of Telephone has experienced 
and will continue to experience an increase in unauthorized access or attempts 
to access its network and computer systems. Several incidents have resulted 
in break-ins. In addition, computer systems on campus have been used as 
platforms to launch attacks on systems on the Internet at large. These incidents 
represent a responsibility and potential legal liability for the university and 
could tarnish its reputation. 

Attacks and security incidents constitute a risk to the university's academic 
mission. The loss or corruption of data or unauthorized disclosure of infor- 
mation on research and instructional computers, student records, and finan- 
cial systems could greatly hinder the legitimate activities of university staff, 
faculty, and students. The university also has a legal responsibility to secure 
its computers and networks from misuse. Failure to exercise due diligence 
may lead to financial liability for damage done by persons accessing the 
network from or through the university. Moreover, an unprotected university 
network open to abuse might be shunned by parts of the larger network 
community. This policy vvill allovv the University of Telephone to handle 
netvvork security responsibly. 

This policy is subject to revision and will be evaluated as the university 
gains experience with this policy. Procedures and guidelines associated with 
this policy will be posted on the Computer Security Administration Web Page. 


225 


226 Information Security Policies, Procedures, and Standards 


Goals 


The goals of this network security policy are to: 


m Establish university-vvide policies to protect the university”s networks 
and computer systems from abuse and inappropriate use. 

m Establish mechanisms that will aid in the identification and prevention 
of abuse of university netvvorks and computer systems. 

m Provide an effective mechanism for responding to external complaints 
and queries about real or perceived abuses of university networks and 
computer systems. 

m Establish mechanisms that will protect the reputation of the university 
and vvill allovv the university to satisfy its legal and ethical responsibil- 
ities vvith regard to its netvvork and computer system connectivity to 
the worldwide Internet. 

m Establish mechanisms that will support the goals of other existing 
policies, e.g., Appropriate Use of Information Technology and Student 
Code of Conduct. 


Note: Any violation of the network security policy will also be deemed a 
violation of the above listed policies, as appropriate. 


Policy Statement 


The University of Telephone provides netvvork resources to its divisions, 
faculties, and departments in support of its Academic Mission. This policy 
puts in place measures to prevent or at least minimize the number of security 
incidents on the campus netvvork vvithout impacting the academic mission or 
the integrity of the university”s many different computing communities. 

The responsibility for the security of the university”s computing resources 
rests with the system administrators who manage those resources. Computing 
and Netvvorking Services (CNS) and the Computer Security Administration 
(CSA) group vvill help system administrators to carry out these responsibilities 
according to this policy. 

The Provost has overall responsibility for this policy. 

The Academic Advisory Committee (AcAC) of the Computer Management 
Board vvill revievv and respond to formal complaints resulting from the 
implementation of this policy. Computing and Netvvorking Services (CNS) vvill 
prepare an annual report for ACAC relating experience vvith this policy and 
ACAC vvill recommend improvements to the Provost. 

In support of this policy, all departments that administer LANs connected 
to the backbone will: 


m Provide Computing and Networking Services (CNS) with the names, e- 
mail addresses, and telephone numbers for at least two different con- 
tacts: a management contact, and a primary technical contact (usually 
the System Administrator). An alternate contact should be provided in 


Sample Security Policies 227 


situations where both the management contact and the primary tech- 
nical contact are one and the same person. 

Endeavor to assign to an individual the authority to connect systems 
to the departmental netvvork(s). 

Endeavor to keep this information accurate and up-to-date. 


Computing and Netvvorking Services (CNS) vvill: 


Monitor, in real time, backbone netvvork traffic, as necessary and 
appropriate, for the detection of unauthorized activity and intrusion 
attempts. 

Carry out such monitoring in compliance with the university”s statement 
on Personal Privacy in the Appropriate Use of Information Technology. 
Seek the cooperation of the appropriate contacts for the systems and 
networks involved when a security problem (or potential security 
problem) is identified to resolve such problems, but in the absence or 
unavailability of such individuals be prepared to act unilaterally to 
contain the problem, up to and including temporary isolation of systems 
or devices from the netvvork, and to notify the responsible system 
administrator vvhen this is done. 

Publish security alerts, vulnerability notices and patches, and other 
pertinent information in an effort to prevent security breaches. 

Carry out and review the results of automated netvvork-based security 
scans of the systems and devices on university netvvorks to detect 
knovvn vulnerabilities or compromised hosts. 

Inform the departmental system administrators of planned scan activity, 
providing detailed information about the scans, including time of scan, 
originating machine, and vulnerabilities tested for. The security, oper- 
ation, or functionality of the scanned machines should not be endan- 
gered by the scan. 

Report the results of scans that identify security vulnerabilities only to 
the departmental system administrator contact responsible for those 
systems. 

Report recurring vulnerabilities over multiple scans to departmental 
management. 

If identified security vulnerabilities, deemed to be a significant risk to 
others and vvhich have been reported to the relevant system adminis- 
trators, are not addressed in a timely manner, take steps to disable 
netvvork access to those systems or devices until the problems have 
been rectifted. 

Prepare summary reports of its netvvork security activities for the ACAC 
on a quarterly basis. 

Prepare recommendations and guidelines for netvvork and system 
administrators, to be posted at the Computer Security Administration 
Web Page. 

Provide assistance and advice to system administrators to the extent 
possible vvith available resources. 


228 Information Security Policies, Procedures, and Standards 


m Issue semiannual requests to verify the accuracy of departmental contact 
information. 
The Computer Security Administration group within CNS will: 


m Coordinate all CNS network security efforts and act as the primary 
administrative contact for all related activities. 

m Coordinate investigations into any alleged computer or network security 
compromises, incidents, or problems; to ensure that this coordination 
is effective, security compromises should be reported to Computer 
Security Administration — e-mail: security.adminGuTelephone.edu or 
telephone 416-978-1354. 

m Cooperate in the identification and prosecution of activities contrary to 
university policies and the law; actions will be taken in accordance 
vvith relevant university Policies, Codes and Procedures vvith, as appro- 
priate, the involvement of the Campus Police or other law enforcement 
agencies. 

m In consultation with system administrators, develop procedures for 
handling and tracking a suspected intrusion, and deploy those proce- 
dures in the resolution of security incidents. 


System Administrators will: 


m Endeavor to protect the networks and systems for which they are 
responsible. 

m Endeavor to employ CNS recommended practice and guidelines where 
appropriate and practical. 

m Cooperate with CNS in addressing security problems identified by 
network monitoring. 

m Address security vulnerabilities identified by CNS scans deemed to be 
a significant risk to others. 

m Report significant computer security compromises to Computer Security 
Administration. 


Netvvork users vvill: 


m Abide by the Appropriate Use of Information Technology policy of the 
university. 

m Abide by departmental policies governing connection to departmental 
networks. 


Definitions 


m Netuoork Resources — Network resources include any networks con- 
nected to the University of Telephone backbone, any devices attached 
to these networks, and any services made available over these networks. 


Sample Security Policies 229 


Devices and services include network servers, peripheral equipment, 
workstations, and personal computers (PCs), UTORdial, UTORmail, etc. 

m PDebartments — Department is used as a generic term to signify an 
academic or administration unit. 

m System Administrator — The individual who is responsible for system 
and netvvork support for computing devices in a local computing group. 
In some instances, this may be a single person vvhereas in others the 
responsibility may be shared by several individuals, some of whom 
may be at different organizational levels. 


Contact 


For information about this policy or for clarification of any of the provisions 
of this policy, please contact the Manager of Computer Security Administration 
at security.adminGuTelephone.edu. 


230 Information Security Policies, Procedures, and Standards 


Business Continuity Planning 


Continuity of important business processes shall be guaranteed through disas- 
ter planning and information classification. 


Availability of Computerized Information 


Business processes that could affect Business Continuity require high avail- 
ability. The owner of these processes should define the availability required 
and ensure that the IT staff implement it. 


System Redundancy 


Systems of operating class may require some form of hardware, service, or 
system redundancy. See the system requirements for the Availability classes 
(Standards) and the Mechanisms Standards. 


Security Crisis/Disasters 


If a serious attack or disaster occurs: 


m The Firecall team should take charge. 

m The concerned machine should be disconnected from the network. 

m Document every single action taken, events, evidence found (with time 
and date). 

m Analyze the system: What files were changed? What programs/accounts 
were added or modified? If modifications are found, check for these 
modifications on similar systems. 

m Notify administrators, management, and law enforcement authorities as 
required. 

m If you discuss details of the attack with anyone via e-mail, use encrypted 
e-mail with signatures. 

m Report the incident to a CERT/FIRST if necessary. 


Sample Security Policies 231 


Dial-In Access 


All incoming dial-up connections (via PSTN or ISDN) should use a strong 
one-time password authentication system (such as SecurID). 

Dial-in access to the corporate netvvork should only be allovved vvhere 
necessary and vvhere the follovving conditions are met: 


m Assurance 
The dial-in server configuration shall be accurately documented. 
It shall be subjected to yearly audits. 

m Identification and Authentication 
All incoming dial-up connections (via PSTN or IDSN) shall use a 
strong authentication system: one-time passvvords, challenge- 
response, etc. 
Administrator log-in shall not send passvvords in cleartext. 
In addition, the call-back or closed user groups features should be 
used, where possible. 

m Accountability and Audit 
Users shall be accountable for their actions. 
Dial-up servers shall provide detailed logging and auditing of con- 
nections. 
Logs shall be automatically analyzed, vvith critical errors generating 
alarms. 
Logs shall be archived for at least one year. 
The nontrivial log entries shall be examined daily. 
Statistics on usage should be available. 
The servers shall be subject to regular monitoring Gveekly) and yearly 
audits. 

m Access Control 
Dial-up servers shall not share file or printer resources vvith other 
internal machines, that is, they shall not be file or printer servers. 
Only administrative personnel shall be allowed to log on İocally. 
Users shall ?zoz be able to log on directly to these machines (from 
the inside). 
Dial-up servers shall be installed in a physically secured (locked) 
room. 
A list should be kept of those users with modems. If possible, the 
telephone network should be regularlİy scanned for unauthorized 
modems. 
Svvitch off modems at night if not needed (a $5 timer is available to 
do this). 

m Accuracy: no requirements. 

m Data Exchange 
Use encrypted password communication (e.g., encrypted Telnet, 
SSH), if possible, especially for remote administrator access. 
Nonrepudiation of origin and receipt is not required. 


232 


Information Security Policies, Procedures, and Standards 


Reliability of Service 
Dial-up servers shall have all unnecessary services stopped. 
Dial-up servers shall be robust multi-tasking machines (e.g., UNIX, 
VAX, or NT2. 
Dial-up servers shall offer the following availability: 7 x 24, maximum 
downtime four hours (during office hours), maximum frequency 
twice per month. Maintenance window: Wednesday evening after 
office hours. 

Change Management 
Updates and configuration changes shall be logged and carried out 
according to Quality processes. 

Alerts should be raised if important processes crash. 

Regular backups shall be made where necessary. 


Sample Security Policies 233 


Access Control 


m Allusers should be authorized. 

m Users should be able to set the privileges of objects belonging to them 
in their environment. 

m Users should be prevented from deleting other user files in shared 
directories. 

m Consider allowing root log-in only via the console. 

m It should be possible to control user access to all objects on the system 
(files, printers, devices, databases, commands, applications, etc.) accord- 
ing to a stated policy. 

m Users should not be able to examine the access control granted to 
other users. 

m It should be possible to label data with a classification. 

m Mandatory access control should be provided. 


234 Information Security Policies, Procedures, and Standards 


Communications Security Policy 
Statement 


The complex and highly sophisticated communications networks used with 
information technology systems require security arrangements specifically tai- 
lored to them. To ensure that the communications systems of the university 
are appropriately protected, the following physical security policies shall be 
followed: 


m 'The primary data communications site located within campus shall be 
physically secured via a card swipe access system. Access to this area 
is restricted to those personnel given access Dy the Vice President for 
Administration and Finance. 

m All employees and guests of Computing and Communications Services 
(OCCS) shall be provided badges. The badges shall be appropriately 
displayed at all times by the individuals while they are within the 
secured facilities. 

m All vviring closets containing the campus-area network equipment con- 
sisting of distributed ATM and Ethernet switches throughout the uni- 
versity should be secured at minimum via a cipher push-button lock. 
Access to these facilities shall be appropriately limited to only those 
individuals requiring access in the performance of their job responsi- 
bilities. 

m As budgetary constraints allow, the vviring closets should be protected 
by a card swipe system with access logging. 

m Wiring closets should not be shared with other university functions 
such as housekeeping, elevator access, etc. They should be dedicated, 
single-use spaces. 

m Physical connections to campus networks shall only be made by 
Computing and Communications (OCCS) Network Services personnel 
for OCCS-owned networks. 

m Subnetvvorks owned and operated by other university departments will 
be maintained by the owning department and appropriately protected 
by the same type of security measures as described above. 

m All connections to external networks, including but not limited to dial- 
in facilities (RAS, access servers, modems, etc.) shall only be made by 
OCCS staff or with the written authorization of the Director of Com- 
munications and Network Services. 


Network Access Control Procedures 


OCCS Network Services personnel are responsible for researching, recommend- 
ing, and/or requesting funding to use appropriate technology to accomplish 
network security. Advancements in these ever-changing technologies mandate 
ongoing research and advising of the university's Vice President for Administration 
and Finance of the risks and possible strategies to reduce any identified risk. 


Sample Security Policies 235 


OCCS is responsible for the development and recommendation of access 
control policies, given budgetary constraints and resource allocations. The 
development of procedures to implement approved policies is also the respon- 
sibility of OCCS. 

Resources owned by other university departments shall be appropriately 
secured via departmental staff. 

The university will comply with all existing state and federal laws governing 
network access and attached resources. 

To facilitate ongoing network maintenance and assist in law enforcement 
efforts, all networked resources will display a banner similar to the follovving 
at all log-in prompts: 


You are entering a University of Telephone System, vvhich may be used 
only for authorized purposes. Unauthorized modification of any infor- 
mation stored on this system may result in criminal prosecution. Uni- 
versity of Telephone may monitor and audit the usage of this system, 
and all persons are hereby notified that use of this system constitutes 
consent to such monitoring and auditing. For security purposes, and 
to ensure that this service remains available to all users, this University 
of Telephone computer system employs software programs to monitor 
network traffic to identify unauthorized attempts to upload or change 
information or to otherwise cause damage, including attempts to deny 
service to authorized users. Attempts to upload or change information 
on this service without authorization or to download and copy with 
the intent to defraud are strictly prohibited and may be punishable 
under the Computer Fraud and Abuse Act of 1986 and the National 
Information Infrastructure Protection Act. 


Network Contingency Plan 


OCCS Network Services personnel are responsible for the formulation of a 
network contingency plan for the university-ovvned networks, including the 
ATM backbone and external network connections. This plan should identify 
critical networked resources for administrative, teaching, and research needs. 
The plan shall be contained in the University Central Computing Disaster 
Recovery and Contingency Plan. 


236 Information Security Policies, Procedures, and Standards 


Software Development Policy 


Security should be an integral part of new systems. When functional require- 
ments are designed, security requirements should be formulated corresponding 
to the sensitivity and availability of data to be handled by the system. 


General Guidelines 


Separate development and production environments and data. 
Consider security to be an integral part of application development. 
Assure that test data does not contain confidential information. 
Consider using a secured language (e.g., Java rather than C, Tainted 
Perl rather than Per). 

Consider having mafor nevv systems TTSEC approved. 


Sample Security Policies 237 


System and Network Security Policy 
Network Security 


A network security policy is definitely required before implementing an 
intranet. People will tend to treat the intranet as they do the Internet — a 
free-for-all — unless a few guidelines are established. In addition, most 
intranets contain corporate information, many times proprietary. Users should 
understand how they should use the intranet, as well as how they can 
contribute feedback to its improvement as a productivity tool. 

The security of the network will be provided by the installation of a firewall 
router. The firewall should perform the following tasks: 


m Shield all local IP addresses and hostnames from the outside world. 

m Be transparent to internal users so that they are able to perform FTP, 
Telnet, etc. as they are used to. 

m Allow applications from outside only if the particular remote user and 
remote host address are registered. 

m Identify the of network addresses that are authorized to log into the 
firewall. 

m Reject “inger” requests from outside. 

m Block inbound and outbound r-commands (e.g., rlogin, rsh, rcp, rvvho, 

etc.). 

Provide remote user advanced authentication (one-time passwords). 

Prevent NIS and NFS from leaving the local network. 

Log all valid and invalid losg-ins to the firewall. 

Permit or deny services to specific host systems. 


The following public access services will be located outside the firewall: 


m World Wide Web services such as the NSRC home pages and related 
documents 

m Anonymous FTP 

m Domain name resolution (DNS) 


Host Security 


m Create a corn job to remove all .rhost entries defining trusted hosts not 
belonging to NSRC. These file permissions must only be read/vvrite by 
owner. 

m Disable TFTP. 

m Make sure no /etc/hosts.equiv are used. 

m Make sure that all accounts have passvvords. Make sure that no dictio- 
nary words are used for passvvords. Implement password aging. 

m Keep track of checksum values of all setuid root programs. 

m Limit the number of failed 1og-in attempts and increase the time interval 
between consecutive log-in attempts. 


238 Information Security Policies, Procedures, and Standards 


Electronic Communication Policy 


The Company maintains a voice-mail system and an electronic-mail (e-mail) 
system to assist in the conduct of business within the Company. These systems, 
including the equipment and the data stored in the system, are and remain 
at all times the property of the Company. As such, all messages created, sent, 
received, or stored in the system are and remain the property of the Company. 

Messages should be limited to management-approved activities. 

The Company reserves the right to retrieve and review any message 
composed, sent, or received. Please note that even when a message is deleted 
or erased, it is still possible to recreate the message; therefore, ultimate privacy 
of messages cannot be ensured to anyone. Although voice mail and electronic 
mail may accommodate the use of passwords for security, confidentiality 
cannot be guaranteed. Messages may be reviewed by someone other than the 
intended recipient. Moreover, all passwords must be made known to the 
Company. The reason for this is simple: your system may need to be accessed 
by the Company when you are absent. 

Messages may not contain content that may reasonably be considered 
offensive or disruptive to any employee. Offensive content would include, 
but would not be limited to, sexual comments or images, racial slurs, gender- 
specific comments, or any comments that would offend someone on the basis 
of his or her age, sexual orientation, religious or political beliefs, national 
origin, or disability. 

Employees learning of any misuse of the voice-mail or electronic-mail 
system or violations of this policy shall notify the Director of Human Resources 
immediately. Failure to abide by this policy will be viewed as “unacceptable 
behavior” as discussed in the Employee Standards of Conduct Policy (see 
Exhibit 1). 


Sample Security Policies 239 


Exhibit 1 The Company Contract Personnel Confidentiality Agreement 


This confidentiality agreement entered into on this day of , 
(date) (month) 
, is between the Company, located at , and 
(year) 
, a Contract Personnel for , a company 
(contract personnels name) (contract provider) 
located at 


(contracting company address) 


The Contract Personnel acknovvledges and agrees that: 

1. The vvork covered by this contract may include, but is not limited to, the 
Company (and its vendor's) software programs, computer code, software 
documentation, methodology documentation, reference manuals, business 
models, data models, and other valuable business and technological information 
(referred to herein collectively as “proprietary information and technology”). 

2. The Contract Personnel shall keep strictly confidential all such proprietary 
information and technology solely for the purpose of evaluating the Company, 
its business, and its products. The Contract Personnel agrees that any and all 
proprietary information and technology provided by the Company, or prepared 
by the Contract Personnel under this agreement, is (and shall remain) the 
proprietary and confidential information and property of the Company. The 
Contract Personnel may not use any of the proprietary information and/or 
technology of the Company for any purpose other than that vvhich has been 
defined in the scope of vvork section of this document, vvithout the prior vvritten 
consent of the Company. 

3. The Contract Personnel shall not introduce, or cause to have introduced, any 
non-Company-approved softvvare, or computer code, into any Company 
computer system. 

4. Depending on the extent of the Contract Personnel/s assignment 
responsibilities, a background check may be required. 

5. Upon request of the Company, the Contract Personnel agrees to return (vvithin 
three business days) originals and all copies ofany such proprietary information 
and technology, which was previously obtained. The termination of this contract 
does not relieve the Contract Personnel from his or her obligation to keep strictly 
confidential all such proprietary information and technology. 

The Contract Personnel's obligations, as to the proprietary information and 

technology, shall not apply to the following: 

a. That which the Contract Personnel at present has knowledge, or which is in 
the Contract Personnel's possession on the date hereof, and which was not 
obtained through contact with the Company previous to the date hereof; 

b. That which is at present publicly available, or a matter of public knowledge 
generally; 


(continued) 


240 Information Security Policies, Procedures, and Standards 


Exhibit 1 The Company Contract Personnel Confidentiality Agreement (continued) 


c. That which is lavvfully received by the Contract Personnel from a third party 
who is (or was), to the best of the Contract Personnel's knowledge, not bound 
in any confidential relationship to the Company; 

d. That which is independently developed by the Contract Personnel, and does 
not contain any Company proprietary information; 

e. That which requires disclosure by applicable law. 

6. The Company grants no license, by implication or otherwise, under any of its 
copyrights, patents, trade secrets, trademarks, or trade names rights, as a result 
of the disclosure of the proprietary information and technology to the Contract 
Personnel under this agreement. The Contract Personnel shall not decompile, 
reverse-engineer, or disassemble any portion of the Company software 
products, or its vendor's products, except to the extent necessary to perform 
services required under this agreement. 

7. The Contract Personnel may be required to sign additional confidentiality 
agreements, due to vendors of the Company (and other companies) that 
have developed separate confidentiality agreements pertaining to products 
that may be used by the Contract Personnel during assignment at the 
Company. 

8. The Contract Personnel acknowledges that the Company shall not have an 
adequate remedy in the event that the Contract Personnel breaches this 
agreement, and that the Company will suffer irreparable damage and injury in 
such event, and the Contract Personnel agrees that the Company, in addition to 
any other available rights and remedies, shall be entitled to seek an injunction 
restricting the Contract Personnel from committing, or continuing, any violation 
of this agreement. The Contract Personnel agrees to submit the items outlined 
in sections 1through section 5 of this agreement, for the purpose of interpreting 
or enforcing, any of the provisions of this agreement. This agreement shall be 
governed by the laws of the State of 

9. The Contract Personnel has received training in regard to the Company 
policies and procedures, which may include (but are not limited to) the 
following: 

a. The Company proprietary information and technology rights 

b. The Company policies regarding Information Protection and Personnel 

Standards of Conduct 

The Information Protection Workstation Reference Guide 

Standards of Conduct pertaining to the Contract House 

The Company Contract Personnel Confidentiality Agreement 

The Company information security awareness training material 

The Company Safety Handbook 


q e en 


The parties do hereby sign and execute this Company confidentiality agreement as 
of the date written below: 


Sample Security Policies 241 
Exhibit 1 The Company Contract Personnel Confidentiality Agreement (continued) 


Name and address of Contract Provider: Name and address of the Company 


Supervisor: 
Printed Name of Contract Personnel: Printed Name of the Company Supervisor: 
Signature of Contract Personnel: Signature of the Company Supervisor: 


Date: 


242 Information Security Policies, Procedures, and Standards 


Sign-On Banner 


This system is for the use of authorized users only. Individuals using this 
computer system without authority, or in excess of their authority, are subject 
to having all activities on this system monitored and recorded by system 
personnel. 

In the course of monitoring, individuals improperly using this system, or 
in the course of system maintenance, the activities of authorized users may 
also be monitored. 

Anyone using this system expressly consents to such monitoring and is 
advised that if such monitoring reveals possible evidence of criminal activity, 
a report will be made to Management and all evidence will be turned over 
to the appropriate authorities. 


Sample Security Policies 243 


Standards of Conduct for Electronic Communications 


The Company policies regarding Employee Standards of Conduct, Conflict of 
Interest, Equal Employment Opportunity and Diversity in the Workplace, 
Communication and Information Protection also apply to electronic messages 
(e-mail), telephone messages (voice mail), and other internal and external 
electronic communications, including, but not limited to, computer bulletin 
boards, nevvsgroups, and the Internet. 

Transmitted messages are to be created, handled, distributed, and stored 
with the same care as any other business document. This includes complyins 
with information-access prohibitions, accessing information only for legiti- 
mate business purposes, and protecting information from access by unau- 
thorized persons. 

Users should be aware that these systems, and the information stored within 
them, are the property of the Company and are to be used only for Company- 
approved activities. The Company maintains the right to monitor the operation 
of these systems. 

Since confidentiality is not assured, these systems are to be used only for 
transmitting information considered “Public” or for “Internal Use.” (The defi- 
nitions for “Public,” “Internal Use,” and “Confidential” many be found in the 
Company Policy on Information Classification.) “Confidential” information 
should not be communicated using these electronic systems. The Company 
prohibition of derogatory and offensive comments also applies to messages 
communicated through these systems. Special care should be given to ensure 
that the style and tone of messages are appropriate. 

Every effort should be made to send messages only to those who “need 
to know.” The Company Policy on Communication details the approvals 
required before distributing information externally or internally through the 
use of company mailing lists. 

Employees are responsible for using these systems appropriately. Tnappro- 
priate use could result in disciplinary action. 


244 Information Security Policies, Procedures, and Standards 


E-Mail Access Policy 
Purpose 


To establish guidelines for employees when accessing electronic mail (e-mail) 
services using Club computers. This policy is meant to augment e-mail policy 
statements contained in the employee handbooks for each of the entities in 
the Club family of organizations. 

Benefits from complying with e-mail policies include the following: 


m Assurance that people cannot send messages that appear to have you 
as the sender 

m Business continuity during unexpected absences without compromising 
your password 

m Confidentiality of information that could affect customers or employees 
of the company 


Scope 


The Club supports two different e-mail systems: 


m Host-based or TAO e-mail 
m Client/server-based or Outlook e-mail 


The Club also provides access to Internet e-mail services from both the 
TAO and Outlook e-mail systems on an as-needed basis. 

The rules and obligations described in this policy apply to all employees 
who use the Club”s computer network, wherever they may be located. 


Policy Statements 
Authorized Usage 


It is every employee”s duty to use the Club”s computer e-mail systems respon- 
sibİy, professionally, ethically, and lavvfully. Only Club-provided, authorized 
e-mail software may be used. The computer e-mail systems are the property 
of the Club and may be used for legitimate business purposes. Employees 
should limit the use of e-mail for sending personal messages. Employees are 
permitted access to the Club”s e-mail systems to assist them in performance 
of their fobs. Use of the e-mail systems is a privilege that may be revoked at 
any time. 

As a guide for use, e-mail is generally acceptable for the following types 
of communication: 


m Confirm appointments and meetings 
m Remind others of deadlines 
m Provide informal and brief progress reports 


Sample Security Policies 245 


m Convey nonconfidential information to others quickly 
m Stay in touch with business partners 
m Share concerns and suggestions with others 


Prohibited Activities 


Material that is fraudulent, harassing, embarrassing, sexually explicit, profane, 
obscene, intimidating, defamatory, or otherwise unlawful or inappropriate 
may not be sent by e-mail, or displayed, or stored on the Club's computer 
systems. Employees encountering or receiving this kind of material should 
immediately report the incident to their supervisor and the Information 
Systems Security Manager. 

The Club's e-mail systems may not be used for dissemination or storage 
of commercial or personal advertisements, solicitations, promotions, destruc- 
tive programs (i.e., viruses), political material, charitable endeavors, private 
business activities, or any other unauthorized use. 

Employees may not deliberately perform acts that vvaste computer resources 
or unfairly monopolize resources to the exclusion of others. These acts include, 
but are not limited to, sending mass mailings or chain letters. 

Unless expressly authorized by the Club, sending, transmitting, or otherwise 
disseminating proprietary data, trade secrets, or other confidential information 
of the Club is strictly prohibited. Unauthorized dissemination of this informa- 
tion may result in substantial civil liability as vvell as severe criminal penalties 
under the Economic Espionage Act of 1996. 


246 Information Security Policies, Procedures, and Standards 


Internet E-Mail 


Mail sent and received via the Internet using Club addresses is for conductins 
Club business only. E-mail via the Internet should be treated in much the 
same manner that one would treat mailings on official Club stationery. Your 
e-mail address represents the organization, and thus must be confined to 
official Club business. The Club reserves the right to access and disclose all 
electronic messages, documents, and data sent or received via Internet e-mail. 

Internet e-mail messages are sent over public networks and therefore you 
should not use e-mail for confidential information. All file attachments to e- 
mail messages received over the Internet must be scanned for viruses prior 
to execution or opening the file. 

Having an e-mail address on the Internet may lead to receipt of unsolicited 
e-mail containing annoying or offensive content. Receipt of unsolicited and 
unvvanted information of this nature should be reported to the IS Security 
Manager. Employees accessing the Tnternet do so at their ovvn risk. 


Computer Passvvords 


Employees are responsible for their e-mail account and the messages sent from 
this account. Computer passvvords provide access control to employee e-mail 
accounts. Therefore, employees must not share computer passvvords. Employees 
must not allow anyone else to send e-mail using their accounts. This includes 
their supervisors, secretaries, assistants, and any other subordinates. 

Once an employee has shared the password with another person, the other 
person can log on to e-mail in the employee”s name, send messages from the 
employee”s name, read the employee”s incoming messages (including confi- 
dential messages), and access the employee”s e-mail files. 


No Expectation of Privacy 


The computers and e-mail accounts given to employees are to assist them 
in performance of their fobs. Employees should be avvare that e-mail com- 
munications could be forvvarded, intercepted, printed, and stored by others. 
Therefore, employees should not have an expectation of privacy in anything 
they create, store, send, or receive on the computer system. E-mail commu- 
nications systems and all messages generated on or handled by e-mail 
communications systems, including backup copies, are considered to be the 
property of the Club. 

Employees consent to allovving personnel of the Club to access and revievv 
all materials employees create, store, send, or receive on the computer or 
through the Internet or any other computer network. It is the policy of the 
Club not to regularly monitor the content of electronic communications. Hovv- 
ever, the content of electronic communications may be monitored and the usage 
of e-mail communications will be monitored to support operational, mainte- 
nance, auditing, security, and investigative activities, Users should structure their 


Sample Security Policies 247 


electronic communications in recognition of the fact that the Club will from 
time to time examine the content of electronic communications. Employees 
understand that the Club may use manual or automated means to monitor use 
of its e-mail systems. 


Incidental Disclosure 


It may be necessary for technical support personnel to review the content of 
an individual employee's communications during the course of problem res- 
olution. Technical support personnel may not review the content of an 
individual employee's communications out of personal curiosity or at the 
behest of individuals who have not gone through proper approval channels. 


Policy Enforcement 


Employees must also comply with all other computer access and use require- 
ments, including those described in the Employee Computer Security Hand- 
book. See the e-mail section of the Employee Handbook for additional details 
on the Club's e-mail policy. 

Violations of standards, procedures, or guidelines established in support 
of this policy should be reported to management for appropriate action. 
Violations to this policy will be taken seriously and may result in disciplinary 
action, including possible termination, and civil and criminal liability. 


Responsibilities 


m Staff Officers 
Approve access to the Internet e-mail for use by individuals in their 
business unit per this policy. 

m Business Unit Management 
Approves access to internal e-mail for use by individuals in its 
business unit per this policy. 
Assists Information Systems Security in ensuring that each of its 
employees is avvare of and understands this policy. 
Assists Information Systems Security in ensuring that employees 
comply vvith this policy. 
Reports violations that are detected vvithin its assigned area of control 
to the Manager, Information Systems Security. 

m Information Systems Security Department 
Has primary responsibility for the establishment, implementation, 
and maintenance of this policy to assist management in the protection 
of company information assets. 
VVill develop and, vvith the concurrence of management, publish 
standards, procedures, and guidelines needed to assure adequate 
security is maintained vvithin the scope of this policy. 


248 Information Security Policies, Procedures, and Standards 


m Enterprise Systems and Networks Department 
Establishes e-mail accounts for employees as required by business 
requirements. 
Installs and maintains network e-mail system, firewall, content filter- 
ing software, and virus protection software. 

m Internet and Human Resource Systems Department 
Establishes Internet access upon receipt of approved request. 


Policy Exceptions 


Exceptions to this policy require written authorization from the Vice President 
and CIO, Information Systems. 


Sample Security Policies 


249 


Software Usage 


Organization software usage guidelines are detailed in Exhibit 2, employee 
usage guidelines are shown in Exhibit 3, and employee home software usage 
guidelines are listed in Exhibit 4. 


Exhibit 2 Organization Software Usage Guidelines 


1. 


General Statement of Policy. It is the policy of [Organization] to respect all 
computer software copyrights and to adhere to the terms of all software 
licenses to which [Organization] is a party. [Organization] will take all steps 
necessary to prohibit users from duplicating any licensed software or related 
documentation for use either on [Organization] premises or elsewhere unless 
[Organization] is expressly authorized to do so by agreement with the 
licensor. Unauthorized duplication of software may subject users and/or 
[Organization] to both civil and criminal penalties under the United States 
Copyright Act. 


[Organizationy> must not permit any employee to use software in any manner 
inconsistent with the applicable license agreement, including giving or receiving 
software or fonts from clients, contractors, customers, and others. 

User Education. [Organization] must provide and require a software education 
program for all of its software users (to be crafted by the software manager). 
Upon completion of the education program, users are required to sign the 
[Organization] Employee Personal Computer Software Usage Guidelines. New 
users will be provided the same education program within 10 days of the 
commencement of their employment. 

Budgeting for Software. When acquiring computer hardware, software, and 
training, [Organization] must budget accordingly to meet the costs at the time 
of acquisition. When purchasing software for existing computers, 
[Organization] must charge the purchases to the department budget for 
information technology or an appropriate budget set aside for tracking 
software purchases. 

Acquisition of Software. All software acquired by [Organization] must be 
purchased through the [MIS, purchasing, or other appropriate] designated 
department. Software may not be purchased through user corporate credit 
cards, petty cash, travel or entertainment budgets. Software acquisition channels 
are restricted to ensure that [Organization] has a complete record of all software 
that has been purchased for [Organization] computers and can register, support, 
and upgrade such software accordingly. This includes software that may be 
downloaded or purchased from the Internet. 


(continued) 


250 Information Security Policies, Procedures, and Standards 


Exhibit 2 Organization Software Usage Guidelines (continued) 


5. Registration of Software. When [Organization] receives the software, the 
designated department [MIS, purchasing, etc.] must receive the software first 
to complete registration and inventory requirements before installation. In 
the event the software is shrink-wrapped, the designated department is 
responsible for completing the registration card and returning it to the 
software publisher. Software must be registered in the name of 
[Organization] and department in which it will be used. Due to personnel 
turnover, software will never be registered in the name of the individual user. 
The designated department maintains a register of all [Organization] 
software and will keep a library of software licenses. The register must 
contain (a) the title and publisher of the software; (b) the date and source 
of software acquisition; (c) the location of each installation as well as the 
serial number of the hardware on which each copy of the software is 
installed; (d) the existence and location of backup copies; and (e) the serial 
number of the software product. 

6. Installation of Software. After the registration requirements above have been 
met, the software will be installed by the software manager. Once installed, the 
original media will be kept in a safe storage area maintained by the designated 
department. User manuals, if provided, will either reside with the user or reside 
with the software manager. 

7. Home Computers. [Organization] computers are organization-owned assets and 
must be kept both software legal and virus free. Only software purchased 
through the procedures outlined above may be used on [Organization] 
machines. Users are not permitted to bring software from home and load it onto 
[Organization] computers. Generally, organization-owned software cannot be 
taken home and loaded on a user's home computer if it also resides on 
[Organization] computer. If a user is to use software at home, [Organization] 
will purchase a separate package and record it as an [Organization]-owned asset 
in the software register. However, some software companies provide in their 
license agreements that home use is permitted under certain circumstances. If 
a user needs to use software at home, he or she should consult with the software 
manager or designated department to determine if appropriate licenses permit 
home use. 

8. Shareware. Shareware software is copyrighted software that is distributed via the 
Internet. It is the policy of [Organization] to pay sharevvare authors the fee they 
specify for use of their products. Under this policy, acquisition and registration 
of shareware products will be handled the same way as for commercial software 
products. 

9. Quarterly Audits. The software manager or designated department will conduct 
a quarterly audit of all [Organization] PCs and servers, including portables, to 
ensure that [Organization] is in compliance with all software licenses. Surprise 
audits may be conducted as well. Audits will be conducted using an auditing 
software product. Also, during the quarterly audit, [Organization] will search for 
computer viruses and eliminate any that are found. The full cooperation of all 
users is required during audits. 


Sample Security Policies 251 


Exhibit 2 Organization Software Usage Guidelines (continued) 


10. Penalties and Reprimands. According to the U.S. Copyright Act, illegal 
reproduction of software is subject to civil damages of as much as U.S.$100,000 
per title infringed, and criminal penalties, including fines of as much as 
U.S.$250,000 per title infringed and imprisonment of up to five years. An 
[Organization] user who makes, acquires, or uses unauthorized copies of 
software will be disciplined as appropriate under the circumstances. Such 
discipline may include termination of employment. [Organization] does not 
condone the illegal duplication of software and will not tolerate it. 


I have read [Organization] anti-piracy statement and agree to bind the 
[Organization] accordingly. | understand that violation of any above policies may 
result in both civil liability and criminal penalties for the [Organization] and/or its 
employees. 


Signature 


Title 


Date 


Published by the SPA Anti-Piracy. (You are given permission to duplicate and modify 
this policy statement so long as attribution to the original document comes from 
SPA Anti-Piracy.) 


252 Information Security Policies, Procedures, and Standards 


Exhibit3 Employee Usage Guidelines for [Organization] 


Software will be used only in accordance with its license agreement. Unless 
otherwise provided in the license, any duplication of copyrighted software, except 
for backup and archival purposes by software manager or designated department, 
is a violation of copyright law. In addition to violating copyright law, unauthorized 
duplication of software is contrary to [Organization] standards of conduct. The 
following points are to be followed to comply with software license agreements: 

1. All users must use all software in accordance with its license agreements and 
the [Organization] software policy. All users acknowledge that they do not own 
this software or its related documentation, and unless expressly authorized by 
the software publisher, may not make additional copies except for archival 
purposes. 

2. [Organization] will not tolerate the use of any unauthorized copies of software 
or fonts in our organization. Any person illegally reproducing software can be 
subject to civil and criminal penalties including fines and imprisonment. All 
users must not condone illegal copying of software under any circumstances 
and anyone who makes, uses, or otherwise acquires unauthorized software will 
be appropriately disciplined. 

3. No user will give software or fonts to any outsiders including clients, customers, 
and others. Under no circumstances will software be used within [Organization] 
that has been brought in from any unauthorized location under [Organization] 
policy, including, but not limited to, the Internet, the home, friends, and 
colleagues. 

4. Any user who determines that there may be a misuse of software within 
[Organization] will notify the Certified Software Manager, department manager, 
or legal counsel. 

5. All software used by [Organization] on [Organization]-owned computers will 
be purchased through appropriate procedures. 


I have read the [Organization] software code of ethics. l| am fully aware of our 
software compliance policies and agree to abide by them. 1 understand that 
violation of any above policies may result in my termination. 


Employee Signature 


Date 

Published by the SPA Anti-Piracy. (You are given permission to duplicate and modify 
this policy statement so long as attribution to the original document comes from 
SPA Anti-Piracy.) 


Sample Security Policies 253 


Exhibit4 Employee Home Software Usage Guidelines 


Purpose 

Consistent with paragraph seven (7) of [Organization] Software Use Guidelines, 
Employees use of [Organization] software at home is strictly prohibited unless 
express permission is received from [Organization] software manager or designated 
department. If the software manager or designated department determines home 
use is permissible under the relevant software license agreement, then in exchange 
for the privilege of home use, 1 expressly agree to the following terms and 
conditions of home software use: 


1. 


To install only the permissible number of copies of [Organization] software to 
my home computer as determined by [Organization] software manager or 
designated department under the relevant software license agreement ; 

To use the [Organization] software consistently with the software's license 
agreement and [Organization] software policy, including, but not limited to, 
restricting the softvvare”s use to [Organization] business only; AND 

To subject my home computer with [Organization] software to periodic software 
audits to ensure the [Organization] software compliance, consistent with 
paragraph nine (9) of [Organization] Software Use Guidelines (see 
http://vvvvvv.spa.org/piracy/programs/empguide2.htm). 

To remove the [Organization] software from my computer and return any 
materials that | may have relating to [Organization] software back to 
[Organization] should 1 cease to work for [Organization]. | understand that 
continued use of the software may subject me to potential civil liability. 


I have read [Organization] Software Use Guidelines and the preceding terms 
applying to the home use of [Organization] software. l| am fully aware of the 
software compliance policies and agree to abide by them. 1 understand that 
violation of any of the [Organization] software use policies, including, but not 
limited to, the terms above, may result in my termination. 


Employee Signature 


Date 

Published by the SPA Anti-Piracy. (You are given permission to duplicate and modify 
this policy statement so long as attribution to the original document comes from 
SPA Anti-Piracy.) 


Appendix E 


Job Descriptions 


Chief Information Officer (CIO) 
CIO Mission 


To provide technology vision and leadership for developing and implementing 
IT initiatives that create and maintain leadership for the enterprise in a 
constantly changing and intensely competitive marketplace. 


Reporting Relationship 


To a senior functional executive (President, EVP, CFO) or CEO. This is a key 
management position for the organization responsible for IT policy and 
alignment of TT strategy with business objectives. 


Responsibilities 


m Sponsor collaborative business technology planning processes. 

m Coordinate new and existing application development initiatives 
between IT and business units. 

m Ensure IT infrastructure and architecture continue to meet enterprise 
business needs. 

m Certify “make versus buy” decisions relative to outsourcing versus in- 
house provisioning of IT services, skills, and products. 

m Establish strategic relationships with key IT suppliers and consultants. 

m Provide enabling technologies to make it easier for customers and 
suppliers to conduct business with the enterprise as well as increase 
revenue and profitability. 

m Interact with internal and external clients to ensure continuous customer 
satisfaction. 


255 


256 


Skills 


Information Security Policies, Procedures, and Standards 


Provide training for all TT personnel and users to ensure productive 
use of existing and nevv systems. 


Required 


Strong business orientation, broad experience in the TT sector, and 
related activities G.e., consulting and vendor activities). 

Demonstrated ability to bring the benefits of TT to solve business issues 
while effectively managing costs and risks. 

Skill at identifying and evaluating new technological developments and 
gauging their appropriateness for the enterprise. 

Ability to communicate with and understand the needs of nontechnical 
internal clients. 

Exceptional organization skills to ensure proper management of central 
IS resources and applications and to coordinate business unit initiatives 
and resources. 

Ability to conceptualize, launch, and deliver multiple IT projects on 
time and within budget. 

Ability to blend with the existing management team by being an 
effective listener, team builder, and an articulate advocate of the IT 
vision. 


Personal Qualities 


Superb leadership, communication, and interpersonal skills; ability to 
function in a collaborative and collegial environment; sensitivity to 
others, high integrity and intelligence, excellent fudgment, a conceptual 
thinker, strategically as well as pragmatically, and ability to generate 
trust and build alliances with co-vvorkers. 


Job Descriptions 257 


Information Security Manager 
Primary Responsibilities 


Provides strategic direction for the protection of company information assets. 
Reports to the Corporate Information Officer (CIO). 


Job Scope 


Develop strategic direction for the protection of information assets. Provide 
programs to meet management's fiduciary and legal responsibilities. Develop 
security solutions that facilitate the strategic business needs of the company. 
Implement processes to identify threats to the company information assets 
and computer resources. Assist information owners in identifying and imple- 
menting controls to mitigate threats to company information assets and com- 
puter resources. Develop policies on information asset protection. Implement 
formal information protection programs and employee awareness training. 
Identify and recommend security solutions based on changing technology. 
Implement proactive computer virus, copyright compliance, business continu- 
ity planning, emergency response programs. 


Required Skills, Experience, and Competencies 


Must have a Bachelor's degree from a recognized college or university in 
Management Information Systems, Business, or Computer Science, and a 
minimum of three years job-related experience supporting information pro- 
tection activities; or an Associate's degree in Management Information Systems, 
Business, or Computer Science, and a minimum or five years job-related 
experience; or seven years supporting information protection activities. Ability 
to understand and correlate information protection controls to business needs. 
Proven project management skills. Proven team-building and leading skills. 
Solid communication skills, both oral and written. Ability to work without 
direct supervision. Proven ability to develop key relationships needed to 
support strategic direction. 


Additional Desired Competencies 


CISSP and CDRP preferred. Recogntion as an industry expert by peers. Proven 
ability to work with senior management of private, public, and academic 
organizations. Proven ability to influence security profession. Established net- 
work of contacts throughout the information security profession. 


258 


Information Security Policies, Procedures, and Standards 


Security Administrator 


Primary Responsibilities 


Maintains standard information protection policies and procedures. Monitors 
conformance to these standards. Reports to Information Security Manager. 


Job Scope 


Implement proactive programs to meet fiduciary and legal responsibil- 
ities of management. 

Administer security solutions that facilitate the company strategic busi- 
ness needs. 

Conduct security assessment and risk analysis to identify threats to the 
company information assets and computer resources. 

Assist information owners in identifying and implementing controls to 
mitigate threats to company information assets and computer resources. 
Monitor compliance to policies on information asset protection. 
Conduct formal information protection programs and employee aware- 
ness training. 

Implement security solutions based on changing technology. 
Administer proactive computer virus, copyright compliance, business 
continuity planning, and computer emergency response programs 
(CERT). 


Required Skills, Experience, and Competencies 


Must have a Bachelors degree from a recognized college or university 
in Management Information Systems, Business, or Computer Science, 
and a minimum of one year fob-related experience supporting infor- 
mation protection activities, or an Associate”s degree in Management 
Information Systems, Business, or Computer Science, and a minimum 
or three years fob-related experience, or five years supporting informa- 
tion protection activities. 

Ability to understand and correlate information protection controls to 
business needs. 

Proven level of oral and written communication skills. 

Experience in developing and guiding effective, results-oriented, 
team-based projects. 

Business, research, and computer experience. 

Ability to create environment that fosters people and team grovvth in 
response to customer needs. 

Ability to represent the organization internally and externally. 

Ability to translate information security obyectives and business stra- 
tegic plans. 


Job Descriptions 259 


Additional Desired Competencies 


CISSP and Project Management Professional (PMP) preferred. 
Comprehensive knowledge of information security field. 

In-depth knowledge of business unit functions and cross-relationships. 
Lead technical review process to select new technolosy solutions. 


260 


Information Security Policies, Procedures, and Standards 


Firewall Administrator, Information Security 


Primary Responsibilities 


Provides technical support for remote system access controls. 
Reports to Security Administrator. 


Job Scope 


Support the operation, administration, and maintenance of the corporate 
Internet firewall. 

Develop, maintain, and implement procedures to generate and distrib- 
ute Internet access usage reports. 

Assist in the support and maintenance of the Internet access usage 
policies and guidelines. 

Respond to critical firewall alarms and take corrective measures. 
Keep abreast of CERT advisories, firewall product announcements, and 
nevv Internet technology to improve the protection of the corporate 
netvvork and information systems. 

Assist in the setup and maintenance of corporate home pages (internal 
and external). 

Provide assistance in Internet-related issues to internal customers. 
Monitor the firevvall components and provide input into the perfor- 
mance and capacity planning for the effective operation of the Internet 
connection. 


Required Skills, Experience, and Competencies 


Minimum of three years experience in supporting computer and com- 
munications architecture (both hardvvare and softvvare) including a 
minimum of one year of UNIX system administration. 

Must have a vvorking knovvledge in the installation, configuration, and 
implementation of Internet firewall technologies. 

Must be familiar with Internet protocols, services, and applications. 
Must have a working knowledge in designing, developing, and sup- 
porting an environment that protects computer systems and information 
from unauthorized access. 

Must be able to work effectively with people at all levels both within 
and outside the company. 

Must communicate effectively, both orally and in writing. 

Must be able to work flexible hours. 


Appendix F 


Security Assessment 


I. Security Policy 


A security policy is the basis of any security effort, and provides a framevvork 
with which to assess the rest of the organization. 
It is, therefore, the starting point for a Security Assessment. 


Rating/Value Prelim Action Final 
Factors 1234 Score Item Comments Score 


A. Policy 1 = Clearly; 2 = Fairly Clearly; 3 = Somewhat Unclear; 4 = Unclear. 
Is there an information 1234 
security policy in place? 

(Yes = 1, No = 4) 

Does the policy state 1234 
what is and is not 

permissible? 

Does the scope of the 1234 
policy cover all facets of 
information? 

Does the policy define 1234 
and identify what is 

classed as “information”? 

Does the policy support 1234 
the business objectives 

or mission of the 

enterprise? 

Does the policy identify 1234 
management and 

employee 

responsibilities? 


-— 


ə 


gə 


= 


vı 


sə 


261 


262 Information Security Policies, Procedures, and Standards 


Rating/Value Prelim Action Final 
Factors 1234 Score Item Comments Score 
7. Does the policy make 1234 


clear the consequences 
of noncompliance? 


B. Procedures 1 = Completed; 2 = Being Implemented; 3 = In Development, 4 = Have Not Begun. 
1. Are procedures in place to 1234 
implementthe information 
security policy? 
2. Are the policies and 1234 
procedures continually 
evaluated against current 
enterprise business needs? 
3. Are standards in place to 1234 
supplement the policies 
and procedures? 
4. Are the procedures and 1234 
standards evaluated to 
determine their level of 
impact to the business 
process£ 
5. Does the proyect 1234 
management 
methodology uphold the 
security practices£ 


C. Document Handling 1 = Completed; 2 = Being lmplemented, 3 = In Development, 4 = Have Not Begun. 
1. İsthere a reasonable and 1 4 

usable information 

classification policy? 

(Y=1, N= 4) 
2. Does the information 1234 

classification policy 

address all enterprise 

information? 


3. ls the information 1234 
classification policy 
followed? 

4. Is. an information 1234 


classification 
methodology in place to 
assist employees in 
identifying levels of 
information vvithin the 
business unit? 

5. Is there an information- 1234 
handling matrix that 
explains hovv specific 
information resources 
are to be handled? 


Security Assessment 263 


Rating/Value Prelim Action Final 
Factors 1234 Score Item Comments Score 


D. Security Handbook 1 = Completed; 2 = Being Implemented; 3 = In Development; 4 = 
Have Not Begun. 
1. İs there an information 1 4 

security employee 

handbook in place? 


(Y -1, N-4) 
2. Does the handbook 1234 
cover the entire policy? 
3. Does the handbook 1234 


identify the importance 
of the security policy? 

4. Does the handbook 1234 
address the employee”s 
responsibilities? 

5. Does the handbook 1234 
stress the degree of 
employee personal 
accountability? 

6. Does the handbook make 1234 
clear the consequences of 
noncompliance? 


Other Factors 
1. 1234 


Security Policy Total Score: 


Interpreting the total score: Use this table of Risk Assessment questionnaire 
score ranges to assess resolution urgency and related actions. 


The 
Ifthe Assessment 
Score is... And Rate ls ... Actions Might Include ... 
23 to 40 İN Mostactivities have been Superior M Information Protection 
implemented (IP) policy is 
M Most employees are implemented 
avvare of the program M Supporting standards 


and procedures are 
integrated into the 
workplace 

M Information 
classification policy and 
methodology have been 
implemented 


Information Security Policies, Procedures, and Standards 


264 
If the 
Score is ... And 
41 o 58 İl Many activities have 
been implemented 
Many employees are 
avvare of the program 
and its obiectives 
59 to 76 İli Someactivities are under 
development 
Most management 
endorses IP obyectives 
77 to 92 Policies, standards, 


procedures are missing 
or not implemented 
Management and 
employees are unavvare of 
the need for a program 


The 
Assessment 
Rate ls ... 


Solid 


Fair 


Poor 


Actions Might Include ... 


IP policy is being 
introduced 


M Supporting standards 


and procedures are 
being developed 


IM Employee awareness has 


begun 

IP policy and supporting 
documents are being 
developed 


M An IP team has been 


identified 

Management has 
expressed a need for IP 
policies and procedures 
Audit comments are 
pending 


II. Organizational Suitability 


Security policies and procedures can be rendered useless if the organization 


does not support the information security program. 


Rating Scale: 1 = Yes 4 = No 


Rating/Value 
Factors 1 4 


A. Organizational Suitability 


-— 


Does senior management 
support the information 
security program? 

Are employees able to 
perform their duties 
efficiently and effectively 
vvhile follovving security 
procedures? 

Does the information 
security program have its 
ovvn line item in the 
budget? 

Are resources adequate 
to fund and staff an 
effective information 
security program£ 


Prelim 
Score 


Action 
Item Comments 


Final 
Score 


S 


= 


m 


ecurity Assessment 


Factors 


Does the security group 
have the authority to 
submit needed security 
policy changes 
throughout the 
enterprise? 

Is an annual report on 
the level of information 
security compliance 
issued to management? 


. Personnel Issues 


Doesthe enterprise have 
enough employees to 
supportcurrent business 
goals? 

Are employees and 
project managers aware 
of their responsibilities 
for protecting 
information resources? 
Are employees properly 
trained to perform their 
tasks? 

Doesthe enterprise have 
sufficient expertise to 
implement an 
information security 
awareness program£ 
Are contractor personnel 
subiect to confidentiality 
agreements? 

Are contract personnel 
subject to the same 
policies as employees? 
İs access to 
sensitive/confidential 
information by contract 
personnel monitored? 


. Training and Education 
Do employees knovv the 
business goals and 
direction? 
Do employees receive 
security-related training 
specific to their 
responsibilities? 


Rating/Value 


1 4 
1 4 
1 4 
1 4 
1 4 
1 4 
1 4 
1 4 
1 4 
1 4 
1 4 
1 4 


Prelim Action 


Score Item 


Comments 


265 


Final 
Score 


266 Information Security Policies, Procedures, and Standards 


Rating/Value Prelim Action Final 
Factors 1 4 Score Item Comments Score 
3. Are employees receiving 1 4 


both positive and 
negative feedback 
related to security on 
their performance 
evaluations? 
4. ls security-related 1 4 
training provided 
periodically to reflect 
changes and new 
methods? 
5. Are system 1 4 
administrators given 
additional security 
training specific to their 
jobs? 
6. Istherearegularsecurity 1 4 
awareness and training 
program in place? 


D. Oversight and Auditing 

Are the security policies 1 4 

and procedures 

routinely tested? 

2. Are exceptions to 1 4 
security policies and 
procedures justified and 
documented? 

3. Are audit logs or other 1 4 
reportingmechanismsin 
place on all platforms? 


-— 


4. Are errors and failures 1 4 
tracked? 
5. VVhen an employee is 1 4 


found to be in 
noncompliance with the 
security policies, has 
appropriate disciplinary 
action been taken? 


6. Are audits performed on 1 4 
a regular basis? 

Z. Are unscheduled/ 1 4 
surprise audits 
performed2 

8. Has someone been 1 4 


identified as responsible 
for reconciling audit 
results? 


Security Assessment 


Rating/Value ` Prelim Action 
Factors 1 4 Score Item 


m 


. Application Development and Management 
1. Has an application 1 4 
development 
methodology been 
implemented? 
2. Are appropriate/key 1 4 
application users 
involved with developing 
and improving 
applicationmethodology 
and implementation 
process£ 
3. ls preproduction testing 1 4 
performed in an isolated 
environment? 
4. Has a promotion to 1 4 
production procedures 
been implemented? 


5. ls there a legacy 1 4 
application management 
program? 

Organizational Suitability Total Score: 


267 


Final 
Comments Score 


Interpreting the total score: Use this table of Risk Assessment questionnaire 
score ranges to assess resolution urgency and related actions. 


The 
If the Assessment 
Score ls... And Rate ls ... Actions Might Include ... 


23 to 40 İNİ Mostactivities have been Superior 
implemented 
Most employees are 
avvare of the program 


CIO and mission have 
been chartered 
Employee training is an 
ongoing process 


Avvareness training 
program is in place 


revievved annually 


41 o 58 İl Many activities have Solid 
been implemented 
Many employees are 
avvare of the program 


El 
m 
m 
M IP obiectives are 
hil 
El 
Lil 


CIO is being considered 
Mission statement is 
under development 
İnitial employee 


and its obiectives avvareness process has 
begun 


268 


If the 


Score ls... 


59 to 76 


77 to 92 


Information Security Policies, Procedures, and Standards 


The 
Assessment 
And Rate ls ... Actions Might Include ... 
M Some activities are under Fair M Search for a CIO has 
development begun 
Most management M IP group has been 
endorses IP obiectives identified 
Employees have been 
informed that changes 
are under vvay 
Policies, standards, Poor M Management has a plan 
procedures are missing for an IP program 
or not implemented M Audit has identified the 
Management and need 


employees are unavvare 
of the need for a 
program 


Security Assessment 269 


III. Physical Security 


The security of the equipment and the buildings used by an organization is 
as important as the security of a specific platform. 
Rating Scale: 1 = Yes 2 = Being Implemented 3 = In Development 4 = No 


Rating/Value Prelim Action Final 
Factors 1234 Score Item Comments Score 
A. Physical and Facilities 
1. İs access to buildings 1234 
controlled? 
2. ls access to computing 1234 
facilities controlled? 
3. Is there an additional 1234 


level of control for after- 
hours access? 

4. Is there an audit log to 1234 
identify the individual 
and the time of access for 
nonstandard hours 
access? 

5. Are systems and other 1234 
hardvvare adequately 
protected from theft? 

6. Are procedures in place 1234 
for the proper disposal of 
confidential 
information? 


B. After-Hours Revievv 

1. Are areas containing 1234 
sensitive information 
properly secured£ 


2. Are vvorkstations 1234 
secured after hours? 

3. Are keys and access 1234 
cards properly secured? 

4. Is confidential 1234 
information properly 
secured£? 

5. Are contract cleaning 1234 


crevvs activities 
monitored? 


270 Information Security Policies, Procedures, and Standards 


Rating/Value Prelim Action Final 
Factors 1234 Score Item Comments Score 


C. Incident Handling 
Has an Incident 1234 
Response Team (IRT) 
been established? 
2. Have employees been 1234 
trained regarding when 
the IRT should be 
notified? 
3. Has the IRT been trained 1234 
in evidence gathering 
and handling? 


— 


4. Are incident reports 1234 
issued to appropriate 
management? 

5. After an incident, are 1234 


policies and procedures 
revievved to determine if 
modifications need to be 
implemented? 


D. Contingency Planning 
Has a Business Impact 1234 
Analysis (BIA) been 
conducted on all 
systems, applications, 
and platforms? 
2. ls there a documented 1234 
data center Disaster 
Recovery Plan (DRP) in 
place? 
3. Has the data center DRP 1234 
been tested vvithin the 
past 12 months? 
4. Are system, application, 1234 
and data backups sent to 
a secure off-site facility 
on a regular basis? 
5. Are service level 1234 
agreements (SLA) that 
identify processing 
requirements in place 
vvith all users and service 
providers? 


-— 


Security Assessment 271 


Final 
Score 


Action 
Item 


Prelim 
Score 


Rating/Value 


Factors 1234 Comments 


6. Have departments, 1234 
business units, groups, 
and other such entities 
implemented business 
continuity plans that 
supplement the data 
center DRP£ 

7. Have emergency 
response procedures 
(ERP) been 
implemented? 

8. Have ERPs been tested 
for effectiveness? 


1234 


1234 


Physical Security Total Score 


Interpreting the total score: Use this table of Risk Assessment questionnaire 
score ranges to assess resolution urgency and related actions. 


The 
Ifthe Assessment 
Score ls... And Rate ls ... Actions Might Include ... 
23 to 40 İM Mostactivities have been Superior IM Access to sensitive areas 
implemented is restricted via 
M Most employees are automated mechanism 
avvare of the program M An incident response 
team has been 
implemented 
M Contingency plans have 
are tested annually 
41 o 58 İl Many activities have Solid İM Access to sensitive areas 
been implemented is generally restricted 
Many employees are M Employees are aware of 
avvare of the program fire safety procedures 
and its obiectives M Contingency plans have 
been developed 
The 
Ifthe Assessment 
Score ls... And Rate ls ... Actions Might Include ... 
59 to 76 İli Someactivitiesare under Fair IM Access to sensitive areas 
development requires sign-in 
M Most management M Employees contact the 
endorses IP obiectives help desk vvhen there is 
a problem 
M Contingency plans are 


being developed 


272 Information Security Policies, Procedures, and Standards 


77 to 92 İİ Policies, standards, Poor İM Access to sensitive areas 
procedures are missing is being defined 
or not implemented M  Incidents are handled 
M Management and locally 
employees are unavvare M Backups are sent off site 


of the need for a 
program 


Security Assessment 


IV. 


273 


Business Impact Analysis, Continuity Planning Processes 


The ability to recover time-critical processes and supporting systems and other 
resources is important to every organization. To be successful, an enterprise 
must establish a method to rank processes, applications, systems, networks, 
facilities, etc. and to recover them in a timely manner. 

Rating Scale: 1 = Yes 2 = Being Implemented 3 = In Development 4 = No 


-— 


Factors 


. Business Impact Analysis (BIA) 


A business impact 
analysis (BİA) has been 
conducted for all 
business processes, 
applications, systems, 
netvvorks, and facilities. 
Continuity planning 
includes identification 
of all time-critical data, 
programs, 
documentation, and 
supporting resources 
required in 
performance of 
essential tasks during 
recovery period. 

The BIA is reviewed and 
updated regularly vvith 
attention to nevv 
technologies, migration 
of applications to 
alternative platforms, 
business process, and 
organizational changes, 
etc. 

Critical time frames have 
been identified for all 
support resources (i.e., 
applications, systems, 
networks, facilities, 
business units, etc.). 
Executive management 
has reviewed and 
approved the prioritized 
list of time-critical 
recovery requirements. 


Rating/Value Prelim 


1234 Score 


1234 


1234 


1234 


1234 


1234 


Action Final 
Item Comments Score 


274 Information Security Policies, Procedures, and Standards 


Rating/Value Prelim Action Final 
Factors 1234 Score Item Comments Score 


B. Enterprise Continuity and Crisis Management Plans 
1. An enterprise continuity 1234 
and crisis management 
planning infrastructure 
coordinator has been 
named and a mission 
statement identifying 
scope and 
responsibilities has been 
formalized. 
2. VVorst-case scenario 1234 
continuity plans (both IT 
and business operations) 
and crisis management 
infrastructure designed 
for timely recovery of 
operations vvithin 
prescribed time frames 
has been implemented, 
tested, and is 
maintained. 
3. Emergency response 1234 
procedures that detail 
actions in emergency 
situations (i.e., fire, bomb 
threat, flood, electrical 
outages, hacker and virus 
incidents, etc.) are 
formalized and 
strategically located 
throughoutthe facility and 
at off-site locations and 
appropriate employee 
training and avvareness 
programs are in place. 
4. The remote recovery 1234 
facilities (i.e., IT, business 
operations, emergency 
operations centers, etc.) 
are located in a 
geographical location 
unlikely to be affected by 
the same disruption as 
the primary facilities. 


Security Assessment 


Factors 


5. Contracts for outsourced 
activities have been 
amended to include 
service providers” 
responsibilities for 
continuity planning. 

6. Continuity and crisis 
managementplansare in 
place to ensure that 
adequate supplies of 
time-critical inventory 
inventories (i.e., 
hardware, software, 
communications, 
facilities, people, 
working space, 
documentation, data, 
transportation, etc.) are 
in place. 

Z. Lead times for IT and 
business operations 
communication lines 
and equipment, 
specialized devices, 
power hookups, 
construction, firewalls, 
computer 
configurations, and LAN 
implementation have 
been factored into the 
continuity plans. 

8. Atleast one copy of each 
of the continuity plans is 
stored at the backup site 
and is updated regularly. 

9. Automatic restart and 
recovery procedures are 
in place to restore IT data 
files in the event of a 
processing failure. 

10. Contingency 
arrangements are in 
place for hardware, 
software, 
communications, 
software, facilities, 
business operations, and 
supporting staffing. 


Action 
Item 


Prelim 
Score 


Rating/Value 
1234 


1234 


1234 


1234 


1234 


1234 


1234 


Comments 


275 


Final 
Score 


276 Information Security Policies, Procedures, and Standards 


Rating/Value Prelim Action Final 
Factors 1234 Score Item Comments Score 


C. Testing, Maintenance, and Awareness 
1. Continuity and crisis 1234 
management plans 
recovery activities and 
tasks are defined with 
appropriate 
responsibilities assigned 
members ofthe recovery 
team infrastructure for 
each plan. 
2. Training sessions are 1234 
conducted for all 
relevant personnel on 
backup, recovery, crisis 
management, and 
contingency operating 
procedures. 
3. Continuity and crisis 1234 
management plan 
recovery team members 
have an active role in 
creating and reviewing 
control reliability and 
recovery provisions for 
relevant processes, 
applications, systems, 
networks, etc. 
4. Appropriate recovery 1234 
team representatives 
participate in continuity 
and crisis management 
tests. 


D. Other Issues 
Provisions are in place to 1234 
maintain the security of 
business operations and 
IT processing functions 
in the event of an 
emergency. 
2. Insurance coverage for 1234 
losses incurred as a 
result of a disaster to the 
enterprise is in place. 


-— 


Business Impact Analysis, Total Score: 
Continuity Planning Processes 


Security Assessment 


277 


Interpreting the total score: Use this table of Risk Assessment questionnaire 
score ranges to assess resolution urgency and related actions. 


If the 


Score ls... 


21 to 36 


If the 


Score ls... 


37 to 52 


53 to 67 


68 to 84 


And 


Mostactivities have been 
implemented 

Most employees are 
aware of the program 


And 


M Many activities have 


been implemented 


M Many employees are 


avvare of the program 
and its obiectives 


M Some activities are under 


development 


M Most management 


endorses information 
protection obiectives 


Policies, standards, 
procedures are missing 
or not implemented 
Management and 
employees are unavvare 
of the need for a 
program 


The 
Assessment 
Rate ls ... 


Superior 


The 
Assessment 
Rate ls ... 


Solid 


Fair 


Poor 


Actions Might Include ... 


Continuity and crisis 
management plans are in 
place and have been tested 
Employees are trained in 
continuity and crisis 
management plans roles 
BIAsare revievved annually 
Continuity and crisis 
management plan 
coordinator(s) has been 
identified 


Actions Might Include ... 


Continuity and crisis 
management plans are 
written 

Employees are aware of 
their roles in the 
continuity and crisis 
management plans 
Management supports 
andhas budgeted for the 
continuity and crisis 
management planning 
business process 
Continuity and crisis 
management plans task 
force has been formed 
Time-critical processes, 
systems, applications, 
network, etc.assessment 
has begun 


M Time-critical resources 


are being identified 
Backups are stored off site 
Audit has identified a 
vveakness in continuity 
and crisis management 
planning process 
Management is avvare of 
its responsibility 


278 


V. 


Technical Safeguards 


Information Security Policies, Procedures, and Standards 


Technical safeguards enforce the security policies and procedures throughout 


the netvvork infrastructure. 


Rating Scale: 1 = Yes 2 = Being Implemented 3 = In Development 4 = No 


-— 


10. 


11. 


12. 


Factors 


. Network Infrastructure 


İs the network 
environment 
partitioned? 

Are the desktop 
platforms secured? 

Are host systems and 
servers as well as 
application servers 
secured? 

Are passwords and/or 
accounts being shared? 
Are unsecure user 
accounts (e.g., guest) still 
active? 

Are temporary user 
accounts restricted and 
disabled in a timely 
fashion? 

Have employees been 
trained on proper 
password management? 
Are users of all company- 
provided network 
resources required to 
change the initial default 
password? 

Are the passwords 
required to use current 
tools as secure as the 
tools allow them to be? 
Do network and system 
administrators have 
adequate experience to 
implement security 
standards? 

Are report logs reviewed 
and reconciled on a 
regular basis? 

Are “permissions” being 
set securely? 


Rating/Value 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


Action Final 
Item Comments Score 


Security Assessment 


13. 


14. 


15. 


16. 


17. 


18. 


19. 


20. 


= 


Factors 


Are administrators using 
appropriate tools to 
perform their jobs? 

Is there a current network 
diagram available? 

Are access control lists 
(ACL) maintained on a 
regular basis? 

Is there a remote access 
procedure in place? 

Are critical servers 
protected with 
appropriate access 
controls? 

Is the network 
infrastructure audited on 
a regular basis? 

Are netvvork 
vulnerability 
assessments conducted? 
Are changes/ 
improvements made in a 
timely fashion follovving 
netvvork vulnerability 
assessments? 


. Firevvalls 
. Are protocols allowed to 


go across the firevvall? 
Has a risk analysis been 
conducted to determine 
if the protocols allovved 
maintain an acceptable 
level of risk? 

Has the firevvall been 
tested to determine if 
outside penetration is 
possible? 

Are other products in 
place to augment the 
firevvall level of security? 
Are the firevvalls 
maintained and 
monitored around the 
clock? 

Have services offered 
across the firevvall been 
documented? 


Rating/Value 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


Comments 


279 


Final 
Score 


280 


Z. Has a demilitarized zone 


Factors 


Information Security Policies, Procedures, and Standards 


Rating/Value 
1234 


(DMZ) or perimeter 
network (a segment of 
network between the 
router that connects to 
the Internet and the 
firewall) been 
implemented? 


Technical Safeguards 


1234 


Total Score: 


Prelim 
Score 


Action 
Item 


Final 


Comments Score 


Interpreting the total score: Use this table of Risk Assessment questionnaire 
score ranges to assess resolution urgency and related actions. 


If the 


Score ls... 


23 to 40 


41 to 58 


59 to 76 


77 to 92 


And 


M Mostactivities have been 


implemented 


M Most employees are 


avvare of the program 


M Many activities have 


been implemented 
Many employees are 
avvare of the program 
and its obiectives 


M Some activities are under 


development 
Most management 
endorses IP obyectives 


Policies, standards, 
procedures are missing 
or not implemented 
Management and 
employees are unavvare of 
the need for a program 


The 
Assessment 
Rate ls ... 


Superior 


Solid 


Fair 


Poor 


Actions Might Include ... 


Netvvork security 
policies and standards 
are implemented 
System and LAN 
administrators are 
trained in security issues 
Firevvalls are 
implemented and 
monitored 


M Network security policy 


is being approved 


M Network and desktop 


standards are under 
development 

Firevvall administrator 
job description has been 
developed 


M Subject matter experts 


have been identified 
Policy and procedures 
development team has 
been identified 

Firewall implementation 
is under way 
Management has 
expressed a concern for 
network security 
Internet connection is 
being considered 


Security Assessment 


VI. 


Telecommunications Security 


281 


Enterprises must take precautions to protect their information when beins 
transmitted via various telecommunication processes. 
Rating Scale: 1 = Yes 2 = Being Implemented 3 = In Development 4 = No 


— 


Factors 


. Policy 


There is a published policy 
on the use of organizational 
telecommunications 
resources. 

All employees have been 
made avvare of the 
telecommunications 
policy. 

Employees authorized 
for İnternet access are 
made avvare of the 
proprietary information 
of the organization and 
what they can discuss in 
open forums. 
Employees using cellular 
or vvireless phones are 
briefed on the lack of 
privacy of conversations 
vvhen using unsecured 
versions of this 
technology. 

Terminating employees 
have their calling cards 
and voice-mail 
passvvords disabled. 
Temporary and contract 
personnel have their 
calling cards and voice- 
mail passvvords disabled 
vvhen their assignment 
ends. 

The organization has a 
published policy on 
prosecution of 
employees and outsiders 
if found guilty have 
serious premeditated 
criminal acts against the 
organization. 


Rating/Value 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


Action Final 
Item Comments Score 


282 Information Security Policies, Procedures, and Standards 


Rating/Value Prelim Action Final 
Factors 1234 Score Item Comments Score 


= 


. Standards 
1. A threshold is 1234 
established to monitor 
and suspend repeated 
unsuccessful dial-in 
attempts. 
2. Access to databases 1234 
reachable via dial-in has 
an access controlin place 
to prevent unauthorized 
access. 
3. Financial applications 1234 
available via dial-in have 
audit trails established to 
track access and 
transaction usage. 
4. Are audit trails revievved 1234 
and corrective action 
taken on a regular basis? 
5. VVherever possible, the 1234 
mainframe security 
program is used to 
control dial-in access to 
specific applications. 
6. Company proprietary 1234 
data stored on portable 
computers is secured 
from unauthorized 
access. 
7. Users of all company- 1234 
provided 
communication systems 
are required to change 
the default or initial 


passvvord. 
C. Practices 
1. Security, application, and 1234 


netvvork personnel 
actively vvork to ensure 
control inconvenience is 
as minimal as possible. 
2. Personnel independent 1234 
of the operations staff 
and/or security 
administration review 
tamper-resistantlogsand 
audit trails. 


Security Assessment 


Factors 


3. Special procedures and 
audited “firecall” user ids 
have been established 
for application, system, 
and netvvork 
troubleshooting 
activities. 

4. Telephone usage logs are 
revievved on a regular 
basis to discover 
potential usage abuse. 

5. Messages and 
transactions coming in 
via phone lines are 
serialiy numbered, time- 
stamped, and logged for 
audit investigation and 
backup purposes. 

6. Employees are made 
avvare of their 
responsibility to keep 
remote access codes 
secure from 
unauthorized access 
and/or usage. 

7. Portable computer users 
are provided vvith a 
mechanism to allovv 
backup of appropriate 
sensitive information or 
critical application to a 
server or to portable 
storage media. 

8. Removal of portable 
computers from the 
company location must 
be done through normal 
property removal 
procedures. 

9. Employeesare briefedon 
their responsibility to 
protect the property 
(physical and logical) of 
the company when 
vvorking avvay from the 
company environment. 


Telecommunications Security 


Rating/Value Prelim Action 
1234 Score Item 


1234 


1234 


1234 


1234 


1234 


1234 


1234 


Total Score: 


Comments 


283 


Final 
Score 


284 


Information Security Policies, Procedures, and Standards 


Interpreting the total score: Use this table of Risk Assessment questionnaire 
score ranges to assess resolution urgency and related actions. 


If the 


Score ls... 


21 to 36 


If the 


Score ls... 


37 to 52 


53 to 67 


68 to 84 


The 
Assessment 
And Rate ls ... 
Mostactivities have been Superior 
implemented 
The 
Assessment 
And Rate ls ... 
Most employees are 
avvare of the program 
M Many activities have Solid 
been implemented 
M Many employees are 
avvare of the program 
and its obiectives 
Some activities are under Fair 
development 
M Most management 
endorses IP objectives 
Policies, standards, Poor 


procedures are missing 
or not implemented 
Management and 
employees are unaware 
of the need for a 
program 


Actions Might Include ... 


M Telecommunications 
security policies and 
standards are 
implemented 


Actions Might Include ... 


M Telecom administrators 
are trained in security 
issues 

M Usage reports are 

monitored 

Discrepancies are 

investigated 

Telecommunications 

security policy is being 

approved 

Standards are under 

development 

System and report logs 

are being generated 

Subject matter experts 

have been identified 

Policy and procedures 

development team has 

been identified 

M Telecom standards 
implementation is under 
way 

M Management has 
expressed a concern for 
telecommunication 
security 

M Audit has identified 
vveaknesses in 
telecommunications 
security 


Appendix G 


References 


Bryson, Lisa. Protect your boss and your job: Due care in information security. 
Computer Security Alert. Number 146, May 1995, pp. 4 and 8. 

d'Agenais, J. and J. Carruthers. Creating Effective Manuals. Cincinnati, OH: South- 
Western Publishing Co., 1985. 

DeMaio, H. Imformation Protection and Otber Unnatural Acts. New York: AMACOM, 
1992. 

Frank, Milo O., Hoz to Get Your Point Across in 30 Seconds or Less. New York: 
Pocket Books, 1986. 

Frank, Stanley D., 7?e Evelyn Wood Seven-Day Speed Reading and Learning Pro- 
gram. New York: Barnes & Noble Books, 1990. 

Fine, N. The economic espionage act: Turning fear into compliance. Conypetitive 
Intelligence Reuietu. Volume 8, Number 3, Fall 1997. 

Fites, P. and M. Kratz. Information Systems Security: A Practitioner”s Reference. New 
York: Van Nostrand, 1993. 

Guttman, B. and E. Roback. Ar Introduction to Combuter Security: Tbe NIST 
Handbook. Gaithersburg, MD: U.S. Department of Commerce, 1995. 

Jordan, K. Ethics and compliance programs: Keeping your boss out of jail and your 
company off of the front pages. Bezzerley s Risk Management. April, 1998. 

Krause, M. and H. Tipton (editors). Handbook of Information Security Management. 
Nevv York: Auerbach, 1998. 


. Lincoln, J. A. EPA”s policy on incentives for self-policing, federal sentencing guide- 


lines and other carrots and sticks. Forum for Best Management Practices. 1997. 
Navran, F. A decision maker”s guide to the federal sentencing guidelines for ethics 
violations. /Vzzran Associates” Netvsletter. March 1996. 

Palmer, L and G. Potter. Computer Security Risk Management. New York: Van 
Nostrand Reinhold, 1989. 

Peltier, T. Policies and Procedures for Data Security. San Francisco, CA: Miller 
Freeman, 1991. 


. Peltier, Thomas R., /7əformation Security Policies and Procedures: A Practitioner s 


Reference. Boca Raton, FL: CRC Press, 1999, 
Tomasko, R. Retbinking tbe Corporation: Tbe Architecture of Change. New York: 
AMACOM, 1993. 


285 


286 Information Security Policies, Procedures, and Standards 


17. Information-Technology — Code of Practice for Information Security Managment. 
ISO/IEC, 2000. 

18. Banking and Related Financials Services — Information Security Guidelines. ISO, 
1997. 


About the Author 


Thomas R. Peltier, CISSP, is in his fourth 
decade of computer technology experience as 
an operator, applications and systems program- 
mer, systems analyst, and information systems 
security officer. Currently, he is president of 
Peltier & Associates. Prior to that he was Direc- 
tor of Policies and Administration for the Netigy 
Corporation”s Global Security Practice, the 
National Director for Consulting Services for 
CyberSafe Corporation, and the Corporate Information Protection Coordinator 
for Detroit Edison. This program has been recognized for excellence in the 
field of computer and information security by winning the Computer Security 
Institute”s Information Security Program of the Year for 1996. Previously he 
vvas the Information Security Specialist for General Motors Corporation and 
vvas responsible for implementing an information security program for GM”s 
worldwide activities. 

Tom has had a number of articles published on various computer and 
information security issues, including developing policies and procedures, 
disaster recovery planning, copyright compliance, virus management, and 
security controls. He has published books titled formation Security Risk 
Analysis, my/ormation System Security Policies and Procedures: A Practitioners” 
Reference, Tbe Complete Manual of Policies and Procedures for Data Security, 
and is a contributing author for the Compbuter Security Handbook, both the 
third and fifth edtions, and for Data Security Management. 

Tom has been the technical advisor on a number of security films from 
Commonwealth Films. He is the past chairman of the Computer Security 
Institute (CSD advisory council, the chairman of the 18th Annual CSI Confer- 
ence, founder and past-president of the Southeast Michigan Computer Security 
Special Interest Group, and a former member of the board of directors for 
(ISO22, the security professional certification organization. He was the 1993 
“Lifetime Award” recipient at the 20th Annual CSI conference. He also received 


287 


288 Information Security Policies, Procedures, and Standards 


the 1999 Information Systems Security Association's Individual Contribution to 
the Profession Award and the CSI Lifetime Emeritus Membership Award. He 
conducts numerous seminars and workshops on various security topics and 
has led seminars for CSI, Crisis Management, American Institute of Banking, 
the American Institute of Certified Public Accountants, Institute of Internal 
Auditors, ISACA, and Sungard Planning Solutions. Tom was also an Associate 
Professor at the graduate level for Eastern Michigan University. 


Index 


A 


Access control, 95, 182, 233 
authorization, 147-148 
dial-in access policy, 231—232 
employee mind-set and, 4 
example policy, standard, guideline, and 
procedure statements, 26 
general security policy, 214 
ISO 17799 standard, 79-80 
logging, 136 
network security policy, 201—202, 234—2355 
physical locations, 180 
third-party access, 142—143 
Accounting practices and procedures, 53 
Acronyms, 85 
list of, 215—223 
Active voice, 86 
Application access control, ISO 17799 
standard, 80, See also Software 
usage 
Application development 
personnel, 5 
policy, 183, 236 
security assessment checklist, 267 
Application-specific policy, 31 
Asset classification and control, 178-179, See 
Information classification 
Attention spans, 14 
Audiovisual media, 156, 159 
Auditing, 266 
Australian-Nevv Zealand (ANZ 44 44) 
standard, 25 
Authenticated user, 95 
Authentication, 95, 202 
Authorization, 95, 147—148 
Authorized person, 95 


Awareness program, See Security awareness 
program 


B 


Backup and recovery, 139-140, 200—201 
Best practices, policy baseline checklist, 195 
British Standard 7799 (BS 7799), 25, 71 
Business continuity planning, 183-184, 230 
ISO 17799 standards, 81 
Business impact analysis (BIA), 2, 184, 270, 
273 
Business obiectives 
information classification and, 108—109 
information protection and, 1 
information security program and, 150 
security goals vs., 54-55 
security policies and, 28, 46, 65-66 
Business resumption planning (BRP), 62 


C 


Caption style for procedures, 88, 91, 93 

Cardcode, 95 

Chief executive officer (CEO), 64 

Chief financial officer (CFO), 64 

Chief information officer (CIO), 4, 56, 73, 150, 
255-256 

Classified information, See Information 
classification 

Communications security, See also E-mail, 
Internet, Netvvork security 

communications plan, 171-173 


289 


290 Information Security Policies, Procedures, and Standards 


policy, 181, 211-212, 234-235, 238, 
243—248 
telecommunications security checklist, 
281—284 
Compliance ISO 17799 standards, 81 
policy statements, 30, 33, 34, 35, 37, 44, 
184 
Computer criminals, 8 
Computer security, 95 
obiectives, 55—56 
standards, 78-80, 82 
Confidentiality, 48, 95 
Confidentiality 
contract personnel policy, 239-241 
customer nondisclosure policy, 203-204 
Confidential or sensitive information, 111, 
114-116, 118, 179, See also 
Information classification 
Conflict of interest, 205-207 
Contingency planning, See also Business 
impact analysis 
network contingeney plan, 235 
security assessment checklist, 270 
Contingeney planning group, 5 
Continuity planning, security assessment 
checklist, 274—276 
Contract personnel confidentiality policy, 
239-241 
Conversational styles, 86 
Copying, 118, 141 
Copyrighted material, 111—112, 251 
Cost-effectiveness, of information protection, 
2 
Cost management, 170 
Crackers, 9 
Customer security requirements, 203—204 


D 


Data, 96 

Data backup and recovery, 139-140, 200—201 

Database information, 121 

Data exchange, ISO 17799 standards, 79 

Data integrity, 96 

Data processing department, mission 
statement, 59 

Demilitarized zone (DMZ), 280 

Denial of service, 96 

Dial-in access policy, 231-232 

Dial-up netvvork access, information handling 
procedures matrix, 125 

Director of Management Information Systems 
(DMIS), 65 

Disciplinary procedures, 209 


Discretionary access control, 96 
Document destruction, 118, 137-139 

Due care, information protection and, 1 
Due diligence, security policy and, 23, 24 


E 


Economic Espionage Act of 1996, 111 
Electronic communications, See 
Communications security 
Electronic file transfer, 134 
Electronic transaction processing, 135 
E-mail policy, 238, 243-248 
minimum data protection, 133 
passvvords, 246 
privacy expectations, 246-247 
Emergency planning, 230, See also Business 
impact analysis; Contingency 
planning 
security assessment checklist, 270, 273-276 
Employee attitudes, 4 
Employee awareness, See Security awareness 
program 
Employee manuals or handbooks, 25, 69, 190 
Employee sabotage, 8 
Employee standards of conduct, 208-210 
Encryption requirements, 202 
End user responsibilities, 147 
Equipment inventory, ISO 17799 standards, 78 
Ethics policy, software use, 184—185 
External communications policy, 211—212, See 
also Communications security 
Extranet access, information handling 
procedures matrix, 124 


F 


Facilitated Risk Analysis Process (FRAP), 10 
Facility security, See Physical security 
Facsimile transmittal, 132 

Fax security, 132 

File server access policy, 201 

Firevvall administrator, 56, 260 

Firevvalls, 279-280 

Flovvchart style for procedures, 88, 100-101 
Fraud, 8 

FTP, 134 


G 


General security policy, 22, 25, 214 


Index 


Generally accepted accounting practices 
(GAAP) standard, 53 
Generally Accepted System Security Principles 
(GASSP), 25 
Gifts, 206 
Guidelines, 25 
definition, 26, 83 
example statements, 26 


H 


Hackers, 9 

Handbooks or manuals, 25, 69, 190, 263 

Harassment policy, 210 

Headline style for procedures, 88, 89-01 

Highly confidential or highly restricted 
information, 113-114, 119—120, 
123-144 

Hospital information classification policy 
example, 48—49 

Housekeeping, ISO 17799 standards, 79 

Human resource management, 5, 171 

personnel security, 179-180 


Identification, 96 
Illustrations, 85-86 
Incident response, 197 
ISO 17799 standards, 78 
reporting policy, 196 
security assessment checklist, 270 
Information/data storage, 129 
Information classification, 2, 107—148, 151, 
190 
access and risk zones, 123-126 
business priorities and, 108—109 
confidential information, 111 
data protection requirements, 118 
declassification/reclassification, 43, 118, 
141 
examples, 113-118 
hospital policy example, 48-49 
information handling procedures matrix, 
123-126 
information roles and responsibilities, 122 
information types, 121 
ISO 17799 standards, 77 
matrix, 119—122 
methodology, 118 
minimum data protection mechanisms, 
127-144 


291 


audit and systems logs, 141 
backup and recovery, 139-140 
declassification/reclassification 
authority, 141 
e-mail, 135 
electronic file transfer, 134 
electronic transaction processing, 135 
facsimile transmittal, 152 
handling third-party information, 141 
information marking, 127—128 
legal requirements, 144 
logging of access, 136 
mailing/shipping, 130-151 
on-site destruction/disposal, 137-139 
printing, 142 
storage, 129 
system documentation, 140 
third-party access, 142-143 
user training, 143 
policy baseline checklist, 195 
policy development, 110 
classification categories, 110-111 
team for, 109 
policy examples, 43—44, 178-179 
reasons for, 107—108 
security assessment checklist, 262 
standards, 74—75 
worksheet, 145—146 
Information custodian responsibilities, 147 
Information handling procedures matrix, 
123-126 
Information ovvner responsibilities, 2, 147 
Information protection, See also Information 
classification, Information security 
policy 
business goals vs. security goals, 54—55 
comprehensive and integrated approach, 2 
comprehensive approach, 5 
cost-effectiveness, 2 
due care and, 1 
elements of, 1—3 
employee attitudes, 4 
implementation costs for controls, 10 
legal requirements, 144 
minimum information protection 
requirements, 127—144, See also 
Information classification 
organizational culture and, 3 
periodic reassessment, 3 
policy examples, 47—48, 50, 117—-118, See 
also Information security policy 
program, See Information security program 
purpose of, 1 
responsibilities and accountabilities, 2 
risk management, See Risk management 


292 Information Security Policies, Procedures, and Standards 


sample corporate policy, 213 
support for business objectives, 1 
typical program elements, 11 
Information protection group, example 
mission statement for, 67, 72 
Information security, 96, See also Information 
protection 
awareness, 190-191, See Security 
awareness program 
five-year plan, 66 
handbook or manual, 25, 69, 190 
infrastructure, 177—178 
infrastructure, ISO 17799 standards, 77 
mission statement, 59, 60, 62 
policy, See Information security policy 
procedures, See Procedures 
project management, See Project 
management 
programs, See Information security 
program 
self-assessment, 158-159 
standards, See Standards 
threats, 8—9 
Information security coordinators, 150, 157 
Information security manager, 56, 257 
Information Security Officer ISO), 65 
Information security personnel 
allocation of information security 
responsibilities, 56—-57 
information protection coordinators, 150, 
157 
job descriptions, 5-8, 255—260 
standards, 71, 73 
management hierarchy and 
responsibilities, 65 
roles and responsibilities, 4—8 
stakeholder partnership, 187 
Information security policy, 9, 188, See also 
specific elements, topics 
approach for creating effective policy 
statements, 46—47 
business objectives and, 28, 46, 65-66 
communication plan, 45 
content considerations, 22, 31—352 
corporate policy, 3 
definitions, 21—22, 26 
due diligence and, 23, 24 
executive liability, 24 
FAQs, 22-25 
format and basic components, 28-31 
application-specific policy, 31 
program policy, 29—30 
topic-specific policy 
general policy, 22, 25, 214 


hierarchy of policies, standards, and 
procedures, 70 
information classification, See Information 
classification 
internal and external policies, 21 
ISO 17799 guidelines, 45—46, 77, See also 
ISO 17799 
key elements, 27—28 
management commitment statement, 31 
management support and visibility, 44—45 
mission statement, See Mission statement 
policy and procedures implementation, 
See Profect management 
program policy examples, 52-58 
insurance company, 37—38 
international manufacturing company, 
35-37 
medical services organization, 33-35 
povver company, 35 
utility company, 32-33 
reasons for implementing, 23 
regulations and standards, 23-24, See also 
Standards 
sample policies, 176-177, 225-253 
access control, 253 
business continuity planning, 230 
communications security, 234-255 
contract personnel confidentiality, 
239—241 
dial-in access, 231-232 
electronic communications, 238, 
243—248 
information protection, 47—48, 50, 
117—118 
monitoring policy on sign-on banner, 
242 
network security, 225-229, 234—235, 
257 
providing safe and secure environment, 
26 
restricted information access, 26 
software development, 236 
software usage, 249—255 
system and network security, 237 
security assessment checklist, 261—264 
stakeholder involvement in making, 54 
standards and, 76, 189 
system/application specific, 22 
topic-specific, 22, 29, 30—31, 38—44 
information classification, 43—44 
Internet security, 38-39 
telecommuting, 39—43 
types, 29 
writing mechanics, 13-19 


Index 


Information security policy, policy baseline 
checklist, 195—204 
network security, 201—203 
security management, 195 
software security, 200, 203 
system monitoring, 196—-197 
third-party services, 203—204 
user account administration, 197-198 
xvvorkstation security, 200-201 
Information security program, 149-159 
awareness, See Security awareness 
program 
business obfectives and, 150 
elements of, 150—151 
follovv-up, 152 
goals of, 149—150 
project management, See Project 
management 
standards for comprehensive program, 
55—50 
Information systems security, 96 
Information Systems Security Officer (18SO), 
1, 96 
Information types, 121 
Insider trading, 207 
Insurance company, security program policy 
example, 37—358 
Integrity, 96 
Internal use only (or restricted) information, 
114, 116, 118, 119-120, 123-144, 
179 
International manufacturing company 
mission statement example, 57—58 
security program policy example, 35-37 
International Organization for Standardization 
(ISO), 25, 77, See also ISO 17799 
Internet 
information handling procedures matrix, 
125 
rules of behavior, 203 
security policy example, 38—39 
Usage and Responsibility Agreement, 39 
Intrusion detection systems, 197 
ISO 17799, 23-25, 45-46, 71—72, 75-76, 175, 
190, 191 
allocation of information security 
responsibilities, 56-57 
code of practice for information security 
management, 175-185 
access control policy, 182 
asset classification and control, 178-179 
business continuity planning, 183-184 
communications and operations 
management, 181-182 
compliance, 184 


293 


information security infrastructure, 
177-178 
information security policy example, 
176-177 
personnel security, 179—180 
physical and environmental security, 
180—181 
scope, 175 
softvvare code of ethics, 184—185 
systems development and maintenance, 
183 
terms and definitions, 175-176 
mission statement standard, 53, 56-57 
summary of controls, 77-81 


) 


Job descriptions, 5-8, 255-260 
standards, 71, 73 


L 


Leadership, 150, See also Management 
commitment and support 

Legal requirements, for information 
protection, 144 

Liability issues, 24 

Logging of access, 136-137 


M 


Management commitment and support, 
153-154, 161—163 
for mission statement, 63-64 
in policy documents, 31 
policy visibility and, 44 
standards and, 69 
Management roles and responsibilities, 
structural hierarchy, 64—65 
Manuals or handbooks, 25, 69, 190, 263 
Manufacturing company 
mission statement examples, 57—62 
security program policy example, 35-37 
Matrix style for procedures, 88, 92, 93 
Media handling, ISO 17799 standards, 79 
Medical services organization, security 
program policy example, 33-35 
Mission statement, 53-67, 188 
allocation of information security 
responsibilities, 56-57 
business goals vs. security goals, 54—55 


294 Information Security Policies, Procedures, and Standards 


computer security objectives, 55-56 
examples 
corporate data processing department, 
59 
corporate information security 
administration, 59, 60 
global manufacturing company, 57—58 
information protection group, 67, 72 
information security department, 62-63 
medium-sized manufacturing company, 
59—02 
North American manufacturing 
company, 58—59 
format, 56 
ISO 17799 standard, 53, 56—57 
management support for, 63—64 
stakeholder involvement in making, 54 
standards and, 71, 72 
Monitoring policy, 196-197 
ISO 17799 standards, 80 
sign-on banner policy, 242 
Multinational organizations, 3 


N 


Narrative style for procedures, 88, 92, 94—100 
Netvvork acceptable use, 205 
Netvvork security, 97 

access, information handling procedures 

matrix, 124 

contingenecy plan, 235 

definitions, 228 

ISO 17799 standards, 78—79 

policy, 201—203, 225-229, 234—235, 237 

privacy policy, 202 

security assessment checklist, 278-279 
Nondisclosure policy, 203-204 


O 


Open Systems Interconnection (OSD, 23 

Operational change control, 181—182 

Organizational culture, 3 

Organizational structure, management levels 
and responsibilities, 64—65 


P 


Passcode, 97 
Passwords 
e-mail policy, 246 


example standard, guideline, and 
procedure statements, 26 
management policy, 198-199 
security assessment checklist, 278 
user authorization example, 75 
Personal identification number (PIN), 97, 98 
Personnel security, 179-180 
ISO 177909 standards, 77—78 
Physical security, 180-181, 214 
ISO 17799 standards, 78 
security assessment checklist, 269-272 
staff, 5 
PIN, 97, 98 
Planning for quality, 170 
Playscript style for procedures, 88, 101—102 
Policy 
defined, 83 
differentiating from standards, guidelines, 
and procedures, 25 
information security, See Information 
security policy 
mission statement and, 56 
writing mechanics, See Writing mechanics 
Policy and procedures implementation, See 
Project management 
Power company, security program policy 
example, 35 
Printing security, 142 
Privacy, 48 
e-mail policy, 246-247 
Privilege management policy, 199-200 
Procedures, 25, 83—106 
creating, 105 
definition, 26, 83-84 
development checklist, 86-87 
elements of, 190 
hierarchy of policies, standards, and 
procedures, 70 
providing safe and secure environment, 27 
purposes for writing, 86 
restricted information access, 26 
security assessment checklist, 262 
styles, 88—105 
caption, 88, 91, 93 
flowchart, 88, 100—-101 
headline, 88, 89—-91 
matrix, 88, 92, 93 
narrative, 88, 92, 94—100 
playscript, 88, 101—102 
tree, 102—105 
topic-specific policy format and elements, 
30—31 
vvriting guidelines, 84—86, 190 
getting started, 87—88 
styles, 88—105 


Index 


writing commandments, 84—86 
Procedures and methods division, 53 
Procurement staff, 5 
Program policy, 29—30, See also Information 

security policy 
examples, 32-58 
Profect management, 161—173, 191 
communications plan, 171-173 
cost management, 170 
defining obyectives and requirements, 163 
human resource management, 171 
kickoff meeting, 164, 165 
planning for quality, 170 
project sponsor and, 161—163 
scope of work, 163-164 
time management, 164, 166, 168-170 
work breakdovvn structure, 163, 164, 166, 
167—168, 170 
Project manager, 162 
Public communications policy, 211-212 
Public or unclassified information, 114, 116, 
118, 119-120, 179 


Q 


Quality assurance personnel, 5 
Quality planning, 170 


R 


Responsibilities and accountabilities, 2, 4-8, 
122 
authorization for access, 147—148 
example policy statements, 29-30, 33, 34, 
35, 37 
information classification matrix, 122 
information end users, 122 
ISO 17799 standard for allocation, 56-57 
management structural hierarchy, 64-65 
policy statements, 43—44, 48 
procedure vvriting, 87 
topic-specific policy statement, 30 
Restricted or internal use information, 26, 114, 
116, 118, 119-120, 123-144 
Risk analysis, 2, 9—10, 75-76 
Risk assessment, 75-76, See also Security 
assessment checklist 
business impact analysis, 184 
Risk management, 9-11, 76 
acceptable risks, 10 
Rotation of assignments, 151 


295 


S 


Sabotage, 8 
Scheduling, information security program, 
164, 166, 168-170 
Scope 
example policy statements, 29, 33, 34, 35, 
37 
procedure writing, 87 
Secure areas, ISO 17799 standards, 78 
Secure corporate networks/systems, 124 
SecurID card, 97—100 
Security administrator, 4, 56, 258-259 
Security assessment checklist, 261—284 
application development and 
management, 267 
business impact analysis, 270, 273 
contingency planning, 270 
continuity planning, 274-276 
incident handling, 270 
network infrastructure, 278-279 
organizational suitability, 264—268 
personnel issues, 265 
security policy, 261—264 
technical safeguards, 278—-280 
telecommunications, 281—284 
training and education, 265—266 
Security audits, 266 
Security awareness program, 149—159 
assessing level of awareness, 154—155 
conveying awareness message, 155-157 
development, 154—155 
goals, 151—152 
identifying training needs, 153-154 
information security message, 158 
manager support, 153-154 
media use, 156, 159 
methods, 155-157 
presentation elements and format, 157-158 
scheduling, 158 
self-assessment, 158—159 
Security Dynamics, Inc. (SDD, 97 
Security goals, business goals vs., 54—55 
Security handbook or manual, 25, 69, 190, 263 
Security information management systems, 
ISO 17799 standard, 24 
Security inspection, vvalkabout, 154-155 
Security organization, ISO 17799 standards, 77 
Security poliey, 97, See Information security 
policy 
Senior management 
commitment, See Management 
commitment and support 
liability, 24 


296 Information Security Policies, Procedures, and Standards 


responsibilities, 4, See also Responsibilities 
and accountabilities 
responsibilities and structural hierarchy, 
64—65 
Separation of duties, 151 
Sexual harassment policy, 210 
Sharevvare, 250 
Shredding, 138-139 
Sign-on screen, 2, 242 
Smart cards, SecurID card system (SDD, 
97—100 
Software development, See Application 
development 
Software usage, 200, 203, 204, 249—253 
ISO 17799 standards, 79 
licensing agreements, 200, 203 
user code of ethics, 184—185 
Standards, 25, 69-82, 189 
definition, 26, 83 
examples of, 26, 71 
hierarchy of policies, standards, and 
procedures, 70 
information classification, 74—75 
information security handbook, 69 
international standards, 71—72, 75—-76, See 
also ISO 17799 
job descriptions, 71, 73 
management commitment and, 69 
mission statement and, 71, 72 
policy and, 76, 189 
providing safe and secure environment, 26 
restricted information access, 26 
user authorization example, 75 
workstation minimum system 
configurations, 82 
Standards of employee conduct, 208-210 
Structured information or data, 121 
Subject matter experts, 84—85, 87—88 
System/application-specific policy, 22 
System administrator, 229 
System and network security policy, 237 
System audit, ISO 17799 standards, 81 
System documentation, 140 
System Security Administrator (SSA), 65 
Systems development and maintenance, 183 
ISO 17799 standards, 80—-81 
life cycle, 2 


T 


Team development, 171 
Technical safeguards, security assessment 
checklist, 278—280 


Telecommunications security checklist, 
281—284, See also Communications 
security 

Telecommuting policy, 39—43 

Theft, 8 

Thesis statement, 17, 30 

Third-party access controls, 142-143 

Third-party services security policy, 203—204 

Top secret information, 113-114 

Topic-specific policy, 22, 29, 30—31 

examples, 38—44 
information classification, 43—44 
Internet security, 38—39 
telecommuting, 39—43 
ISO 17799 guidelines, 45-46 
Topic sentence or statement, 13, 16-17 
example policy statements, 29, 33, 34, 35, 
37 
Trade secret information, 111 
Training, See also Security awareness program 
identifying needs, 153-154 
ISO 17799 standards, 78 
methods, 155-157 
minimum information protection 
mechanisms, 143 
presentation elements and format, 157—158 
project management, 171 
scheduling, 158 
security assessment checklist, 265-266 

Tree style for procedures, 102-105 

Trofan horses, 8 

Trust relationships, 202 


U 


User account administration policy, 197-200 

User authorization, example standards, 75 

User identification policy, 197-198 

User termination policy, 200 

Utility company, security program policy 
example, 32-33 


V 


Video resources, 156 
Violation response and reporting policy, 196, 
197, 204 
Viruses, 8 
ISO 17799 control standards, 79 
prevention policy, 201 
security guidelines and procedures, 26-27 
Voice-mail security policy, 238 


Index 297 


w key concepts, 15—-16 
thesis statement, 17 
Walkabout, 4 time constraints and attention spans, 13-14 
VVarnings, 87 topic sentence, 16—-17 
Work breakdown structure (WBS), 163, 164, writing don'ts, 18 
166, 167—168, 170 Writing procedures, 83—106, 190, See also 
VVorkstation security policy, 200-201 Procedures 


Writing mechanics, 13-19, 84—86, 187—188 


INFORMATION/NETWORK SECURITY 


Information Security Policies, Procedures, 
and Standards 


THOMAS R. PELTIER 


By definition, information security exists to protect your 
organization”s valuable information resources. But too 
often, information security efforts are vievved as thvvarting 
business obiectives. An effective information security 
program preserves your information assets and helps you 
meet business obiectives. Information Security Policies, 
Procedures, and Standards: Guidelines for Effective 
İnformation Security Management provides the tools 
you need to select, develop, and apply a security program 
that vvill not be seen as a nuisance but as a means to 
meeting your organization”s goals. 


Divided into three major sections, the book covers: writing policies, writing procedures, and writing 
standards. Each section begins with a definition of terminology and concepts and a presentation of 
document structures. You can apply each section separately as needed, or you can use the entire text 
to form a comprehensive set of documents. The book contains checklists, sample policies, procedures, 
standards, guidelines, and a synopsis of British Standard 7799 and ISO 17799. 


Peltier provides you with the tools you need to develop policies, procedures, and standards. 
He demonstrates the importance of a clear, concise, and well-written security program. His examination 
of recommended industry best practices illustrates how they can be customized to fit any organization's 
needs. Information Security Policies, Procedures, and Standards helps you create and implement 
information security procedures that will improve every aspect of your enterprise's activities. 


FEATURES 

° Uses BS 7799 and ISO 17799+ standards as the foundation for the content 

e Reviews industry standards and presents representative procedures for each of the 10 areas 

° Provides examples, checklists, sample policies and procedures, guidelines, and a synopsis of the 
BS and ISO standards 

° Covers terminology, concepts, and documents structures 


Thomas R. Peltier, CISSP, is in his fourth decade of computer technology experience as an operator, 
an applications and systems programmer, systems analyst, and information systems security officer. 
Currently he is the President of Peltier 8, Associates. Prior to that he vvas Director of Policies and 
Administration for the Netigy Corporation”s Global Security Practice, the National Director for 
Consulting Services for CyberSafe Corporation, and the Corporate 

İnformation Protection Coordinator for Detroit Edison. AUl1437 


ISBN 1-84443-1137-4 
90000 


| 


AUERBACH PUBLICATIONS 


www.auerbach-publications.com kaka kaka 


